SCI104_HowtoMigrate From CUA to NtWvr IdM 71

1

SCI104

How to Migrate from SAP CUA to

SAP NetWeaver Identity

Management 7.1

Go Live Strategies and Case Study

Birger Tödtmann, SAP Consulting

Rene Feister, SAP Consulting

Frank Buchholz, Active Global Support

October 2010

© 2010 SAP AG. All rights reserved. / Page 2

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a

purchase decision. This presentation is not subject to your license agreement or any other

agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

presentation or to develop or release any functionality mentioned in this presentation. This

presentation and SAP's strategy and possible future developments are subject to change and

may be changed by SAP at any time for any reason without notice. This document is provided

without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP

assumes no responsibility for errors or omissions in this document, except if such damages

were caused by SAP intentionally or grossly negligent.

2


Agenda

1. SAP CUA vs. SAP NW IDM

SAP Central User Administration

SAP NetWeaver Identity Management 7.1

Functional Comparison CUA vs. IDM 7.1

2. Replacement Challenges

Identifying CUA ―must haves‖

Implementing CUA features in IDM 7.1

3. Go Live Strategies

―Big bang‖

Smooth cut-over

4. Case study

5. Summary


SAP Central User Administration (CUA)

Benefits

DEV QA PRD

DEV QA PRD

CUA Central System

CUA Client Systems

CUA Client Systems

Create / delete users

Change global attributes

Assign / remove roles

Mass changes

Position based indirect

assignments

(CUA on HR system)

3


Home

Identity Management with CUA

Drawbacks

e.g. on-boarding

CUA

Provisioning for

ABAP-based systems

LDAP

Directory

3rd Party Identity

Management

Product

Synchronization

UME

data source


Home

SAP NetWeaver Identity Management

Benefits

e.g. on-boarding

SAP NetWeaver

Identity Management

Password management

Provisioning to SAP and non-SAP systems

Identity mgmt.monitoring & audit

Rule-based assignment of business roles

Identity virtualization and identity as service

Approval workflows

Central Identity Store

SAP BusinessObjects

Access Control (GRC)

Compliance checks through GRC

SAP Business Suite Integration

4


Functionality Central User

Administration (CUA)

SAP NetWeaver Identity

Management 7.1 (IdM)

Target Systems ABAP only SAP and non-SAP

Workflow Support No Yes

Rule based access

management

almost no (except the

rarely used HR org. rule

engine)

Yes

Modeling of role hierarchy No Yes

Cross system role

assignments

Manual Full support

LDAP directory integration LDAP synchronization Full support

Password management Management and

distribution of initial

passwords

Yes; including user

interface and workflow

support

Why Choosing SAP NW Identity Management?

High-Level Comparison of SAP CUA with SAP NW IdM


Functional Comparison –

SAP CUA vs. SAP NW IdM 7.1 (1/2)

Criteria SAP CUA SAP NW IdM Comments For SAP NW IdM

User Interface Clearly defined

standard SAP UI;

BUT very limited

flexibility to change

Standard UI tasks

existing; some with

limitations

Custom UI tasks can be created

Flexibility is limited to standard

WebDynpro for Java UI

Mass User Changes Transaction SU10 No standard tasks

or jobs existing

CSV based upload can be used in IdM

Required upload jobs have to be

created

Reporting Transaction SUIM No standard

reports existing

Custom reports can be created in IdM

Depending on the requirements this

can be a significant effort

Approach not as dynamic as the SUIM

approach

Ad-hoc approach: perform database

queries directly

E-Mail Notifications Not available in

standard

No standard tasks

or jobs existing

But: E-Mail notifications can be added

and linked quite easily in IdM

5


Functional Comparison –

SAP CUA vs. SAP NW IdM 7.1 (2/2)

Criteria SAP CUA SAP NW IdM Comments For SAP NW IdM

Business Role Model –

Role Hierarchy

Single roles /

composite roles,

no inheritance

model

Business roles that

can be organized

in a complex

hierarchy

Complex role hierarchy, inheritance of

role and privilege assignments

Role inheritance of AS ABAP roles not

visible in IdM (privileges are flat)

Backend System

Connectivity / Error

Handling

ALE distribution

model iDoc

Reprocessing

Standard

synchronization job

No standard

reprocessing

available

No standard

synchronization /

reconciliation jobs

available

Proper error handling / reprocessing

needs to be implemented on project

base

Job templates for SAP system

reconciliation jobs provided by RIG

can be used as starting point

User Interface –

Display Of Created At /

By; Last Modified At / By

Available in

standard UI

Data is available in

the database but

not easily visible in

the UI

Custom specific attributes have to be

created that store and display the data

in the UI

Support of local changes

on backend system

Complex

distribution model

(global, local,

proposal,

redistribution

Standard

implementation

supports only

central approach

IdM as leading system

To support local changes respective

synchronization mechanism have to

be designed and built in the project


Agenda









―Big bang‖

Smooth cut-over

4. Case study

5. Summary

6


IDM Requirements Analysis –

With CUA Operation as Source (1)

1. Conduct a workshop with personnel from

Helpdesk

User & authorization administration

2. Explain functional gap: mass changes, SUIM features

3. Determine mission critical the IDM replacement MUST have

4. Differ for ―nice to have’s‖

5. Estimate efforts, make a plan

6. Prepare a decision proposal based on efforts and drawbacks if not implemented

7. Get decision for plan and budget


IDM Requirements Analysis –

With CUA Operation as Source (2)

User provisioning limited to

SAP ABAP systems only.

No standard approval workflow

functionality in SAP CUA.

Limited number and content of

built-in reports in SAP NW IdM.

SAP NW IdM 7.1 does not fully

offer all key SAP CUA

functionality out of the box that

admins are used to.

One solution that can be used

for any SAP system (includes

SAP AS Java / Portal) plus

non-SAP.

Predefined approval workflows

processes for user changes

and authorization assignments.

Extended preconfigured

reports based on SAP Best

Practices.

Providing UI and framework for

SAP CUA operations like mass

operations and copy functions.

Connector framework

Build-in predefined WFs

Enhanced reports

Mass operations

As-Is Situation To-Be SituationApproach

7


Some Examples of UI Tasks to be Built (1/2)

Additional UI task that need to be created, some screenshots are shown here:

Extended UI task for changes of identity attributes

Advanced UI tasks for changes of business roles


Some Examples of UI tasks to be Built (2/2)

Additional UI task that need to be created, some screenshots are shown here:

Password reset (per backend system)

Copy identity / copy assignments of identity

Trigger for provisioning

8


Agenda









―Big bang‖

Smooth cut-over

4. Case study

5. Summary


Go Live Strategies

– “Big Bang” Approach (1/2)

12

Prep phase:

1. Backend systems are

connected to CUA

2. Connect IDM to backend

systems (no provisioning

possible as long as they

are CUA daughters)

9


Go Live Strategies

– “Big Bang” Approach (2/2)

3

―Big Bang‖ phase:

3. Decouple all daughter

systems from CUA

4. Make initial load of all

backend systems in IDM,

activate provisioning of

backend systems in IDM

4

Setup easy, change is

“at once” with high

consistency, but

complex Go Live event


Go Live Strategies

– “Smooth Cut-Over” Approach (1/2)

12

Prep phase:

1. Backend systems are

connected to CUA

2. Connect IDM to CUA and

backend systems

no direct provisioning to

back ends possible as

long as they are CUA

daughters

Use CUA as proxy,

indirect provisioning

10


Go Live Strategies

– “Smooth Cut-Over” Approach (2/2)

Step-by-Step Go Live:

One by one,

3. Pick a backend system,

make initial load in IDM

4. Decouple backend

system from CUA

5. Enable provisioning of

backend system in IDM

4

3

5

More complex setup, but

more simple Go Live scenario

– change goes over days,

more time


After Go Live

– Prevent Inconsistencies

CUA daughter systems disable changes in SU01 / PFCG

With IDM 7.1, connected backend systems still allow changes

Inconsistencies could possibly enter the systems when no reconciliation jobs

have been created in IDM

Disallow (by removing authorizations on S_USER_GRP) any changes in

all connected backend systems

- or

Create custom reconciliation report

11


Agenda









―Big bang‖

Smooth cut-over

4. Case study

5. Summary


Project Overview

Large SAP Retail project

SAP Central User Administration has been used as central user administration

tool for the system landscape of the project

Customer has been informed about SAP NW Identity Management 7.1 as the future tool to

replace the SAP CUA on a long term perspective

Customer has been interested in the additional capabilities of the SAP NW IdM product

such as:

Integration with SAP HCM

Integration with non-SAP systems such as MS Active Directory, Lotus Notes and LDAP

BUT: Focus of Release 1 of the SAP NW IdM project within the project was to replace the

existing SAP CUA system by the new software and get familiar with it

12


In Scope / Out Of Scope - Release 1

Main focus: replacement of the SAP CUA system with some little enhancements such as:

E-Mail notifications to end users for user creation and password reset

Creation of custom specific UI tasks

Creation of .csv upload jobs that can be used to perform mass user creation and changes

Addition of missing features such as Copy Identity, Copy Assignments (business roles,

privileges) and more

A lot of the core IdM functionality was out of scope for Release 1 of the project, such as:

User self services

Approval workflows

Password reset self service

Integration with SAP HCM

Integration with non-SAP systems (customer has not licensed the SAP NW IdM product

yet)


Main Implementations / Developments –

List (1/2)

Custom copy of the complete SAP Provisioning Framework folder created and adapted

Reason was to be independent from upgrades / patches

E-Mail notifications to end users for user creation and password reset

Specialty: Several systems in one combined E-Mail to the end user

Mass identity administration jobs based on .csv uploads

Possibility to trigger the job execution from a UI task

Identity Upload – Creation

Identity Upload – Role Assignment

Identity Upload – Reset Password

Identity Upload – Lock / Unlock

Business Role Upload – Creation

Business Role Upload – Privilege Assignment

13


Main Implementations / Developments –

List (2/2)

UI task for ―Copy Assignments Of Identity‖

To copy business role and privilege assignments

Possibility to define which repositories should be considered

Flags to decide if business role assignments or privileges or both should be copied

Definition of a procedure and creation of jobs to support a ―System Copy‖ /

―System Refresh‖ process which is done quite often in the current project phase


Project Plan

High level planning

Installation (DEV and PRD system, database: Oracle, OS: UNIX)

Blueprint workshops

Blueprint writing

Blueprint review / approval / corrections

Configuration / development

Staging (unit testing with sandbox clients)

Business role design

Testing

Documentation

Go-Live support / Ongoing activities

Coaching / Know-How transfer to customer

14


Chosen Go Live Option

As helpdesk assistance was granted and enough budget available for

this approach, ―smooth cut-over‖ was chosen, but without CUA as proxy.

Within two weeks, 20 clients had been disconnected from CUA and

were reconnected to IDM

As some emergency user

maintenance had to be done

in between, reconciliation reports

were used to synchronize

back ends and the IC database

Go Live was very successful,

CUA completely taken offline

afterwards

Initially, CUA load was done to

get all user data for prep purposes

DGI DGI

QGI

SGI

DGT DGT SGT

QGT

DG4 QG4

TG4 PG4

DGA QGA

PGAPGI

PGT

PG7

DGS PGS

DGF

DGS


Agenda









―Big bang‖

Smooth cut-over

4. Case study

5. Summary

15


Summary

Replacing CUA is a good strategic move in the long term and yields significant functional

enhancements CUA can’t offer in the short term

However, with NW-IDM 7.1 neither functionally nor operatively is a CUA replacement trivial

Functional gaps can be closed (with different grades of ―completeness‖) with either

Implementing CUA ―must haves‖ yourself

Getting up to speed with the CUA Replacement Pack – see next slide

Wait for availability of NW-IDM 7.2 and upgrade

Operationally, both big-bang and smooth cut-over are suitable options, depending on

environment / situation

Big-bang is a more complex Go Live scenario with more risks

Smooth cut-over requires more effort but yields less Go Live risks

*SAP AS ABAP, SAP AS java, SAP Dual Stack, **tbd


At One Glance – CUA Replacement Pack for


Our Procedure / Duration

Your Situation Your Benefits

SAP Contact

You are running SAP CUA or you are planning to

implement a new central user administration.

You are uncertain if you should replace your existing

SAP CUA with SAP NetWeaver IdM 7.1, when to do it,

or whether you should start with the implementation of

SAP NetWeaver Identity Management for central user

administration today.

You are hesitating because you are not sure about the

migration path, nor the efforts for internal/external

consulting or the timeline for an implementation.

Get a ready-to-use implementation in your landscape

for a fixed price. Use SAP NetWeaver Identity

Management for managing your SAP and third party*

systems today. Replace your existing SAP CUA

system smoothly without disruptions in your productive

user administration. Benefit from enhancements to the

SAP standard based on SAP Best Practices including

reconciliation jobs, mass data administration

functionality, improved UI tasks and preconfigured

report templates. Get optimized user management

information from your SAP backend systems.

Starting point is a 1 day workshop to explain the solution, verify it against your already

existing implementation and plan the next steps. With the installation of the solution we do

a 1 day handover workshop to enable you to use the solution. Two instances of SAP or

third party* systems are connected.

Included are 3 additional days of consulting activities for implementation of additional

features or a requirements analysis for a more advanced Identity Management Solution.

Precondition: SAP NW IdM 7.1 customer license available

Florian Stolbrink

SAP Consulting

[email protected]

We help you to replace an existing or implement a new central user administration based on

SAPs recommended solution – SAP NetWeaver Identity Management 7.1.

*according to Product Availability Matrix for CUA Replacement Pack

16


Further Information

SAP Public Web:

SAP Developer Network (SDN): www.sdn.sap.com/irj/sdn/nw-identitymanagement

Business Process Expert (BPX) Community: www.bpx.sap.com

SAP BusinessObjects Community (BOC): boc.sap.com

Related SAP Education and Certification Opportunities

http://www.sap.com/education/

Related Workshops/Lectures at SAP TechEd 2010

See next slides…


Home

Further Information


http://www.sdn.sap.com/




http://www.bpx.sap.com/

http://boc.sap.com/

http://www.sap.com/education/

17


Home

Further Information



Home

Further Information


18

ContactFeedback

Please complete your session evaluation.

Be courteous — deposit your trash,

and do not take the handouts for the following session.


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

© 2010 SAP AG. All Rights Reserved

SCI104_HowtoMigrate From CUA to NtWvr IdM 71

Documents

Transcript of SCI104_HowtoMigrate From CUA to NtWvr IdM 71