Session ID: AGS101 User Management and Authorizations · PDF fileIdentity Management with SAP...

Session ID: AGS101User Management and Authorizations Overview

© SAP AG 2005, SAP TechEd ’05 / AGS101 / 2

Contributing Speakers

TechEd Vienna

Frank BuchholzSecurity Product Manager, SAP AG

Jens KosterSecurity Product Manager, SAP AG

TechEd Boston

Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC


Agenda

Identity Management with SAPCentral User AdministrationDirectory IntegrationPortal User Management Engine

Role Management with SAP ABAP Authorization RolesJ2EE / UME Authorization RolesPortal RolesRole Integration Example

SAP’s strategy for Identity Management

Summary


Learning Objectives

As a result of this workshop, you will understand the concepts behind:

User Management with SAP including the Central User AdministrationDirectory IntegrationPortal User Management EnginePortal RolesRole Management in ABAP and Java based systems


Agenda




Summary


Decentralized User Maintenance

Each SAP System has its own user data store

Decentralized user maintenance

Inconsistencies can occur between address data

SAPBW

SAPAPO

SAP…

SAP R/3Enterprise

SAPEBP


Central User Administration

Users can be administrated in central SAP system

Automatic distribution to client SAP systems

Local administration still possible (redistribution)

No inconsistencies

Central locks possible

CUA central system SAP release as of 4.6C

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client


User Management – Directory Integration

HR

E-mail

Telephony

Operatingsystem

Application 2

Meta-DirectoryApplication 1


LDAP Synchronization

LDAPsynchronization

SAP ABAP Systemrelease as of 6.10Directory


HR Data Replication from SAP in an LDAP Enabled Directory Service

SAP Web AS as of 6.10Directory

HR-system 4.0 and higherwith Plug-In System (PI 2001.2)4.5 with Plug-In System (Pl 2001.2)

Data Retrieval in Personnel Management via Query or ABAP-Report

Replication

As of 4.70 HR can be connected directly to the LDAP directory

RFC


Central User Administration & LDAP Synchronization

LDAPsynchronization

CUA central system SAP release as of 6.10

ALE ALE

SAP 6.xCUA client

SAP 4.6CUA client

SAP 4.5CUA client

Directory


CUA & LDAP Synchronization & Enterprise Portal

Enterprise Portalwith User Management

Engine (UME)

LDAPsynchronization

CUA central system SAP release as of 6.10

ALE ALE

SAP 4.6CUA client

SAP 4.5CUA client

Directory

SAP J2EE EnginePersistence

store

SAP ABAP + J2EE Engine

SAP NetWeaverCUA client


CUA & Enterprise Portal (no Directory)


Engine (UME) CUA central system SAP release as of 6.10

ALE ALE

SAP 4.6CUA client

SAP 4.5CUA client

Persistencestore

SAPCUA client

ALE

SAP J2EE Engine


SAP NetWeaverCUA client


SAP Identity Management and Siemens Identity Management

SAP HR

E-mail

Telephony

Operatingsystem

Non-SAPapplications

Central UserAdministration


Engine (UME)

Provisioning incl.SPML integration*

Provisioning

load employee data

Prov

isio

ning

and

Syn

chro

niza

tion

Acc

ount

and

gro

up m

anag

emen

t, va

lidat

ion

and

reco

ncili

atio

n

DirX IdentityDirX Directory

ProvisioningPassword Management

Self-service Metadirectory

Audit

HiPath SIcurity DirXIdentity Management

*SPML integration available as of SAP NetWeaver NW 2004s SPS5 und NW 2004 SPS14


SAP Identity Management and Siemens Identity Management

Siemens HiPath SIcurity DirX and DirX Identity complement SAP NetWeaver with Identity Management for heterogeneous landscapes

The solution provides uniform identity provisioning for the SAP Enterprise Portal and all SAP applications as well as non-SAP applications

SAP ships Siemens HiPath SIcurity DirX and HiPath SIcurity DirXIdentity demo license starting with NetWeaver 2004s ramp-up phase

Customer BenefitsSecure and centralized management of user identities and their access rights for all enterprise applicationsRegulatory complianceIncreased operational efficiency and end user productivityReduced administration and help-desk costs


Agenda




Summary


SAP NetWeaver Enterprise Portal

Role-based, …

…and Web based…

…access to any kindof applications, information and

servicesERP CRM …

…secure…

SAP Enterprise Portal 6.0SAP Enterprise Portal 6.0

Authentication

Sales Manager

Line Manager

Business Developer

Docs*

*covered by KM

Single Sign On


Overview SAP Roles

Portal RolesPortal Roles

ABAP

… define, what is displayed in the

Portal

ABAP RolesABAP Roles

Java

UME RolesUME Roles

J2EE Security RolesJ2EE Security Roles

or… define, what Authorizations the

user has in the Backend System


ABAP Roles and Portal Roles: A Comparison

ABAP Authorization Roles Portal Roles

Roles (single roles) carry authorization information.

The Profile Generator is part of the role administration in transaction PFCG.

The content of Authorization Roles can be generated using the definition of Portal Roles.

Portal Roles carry the user interface information but (almost) no authorization information.

Authorizations must still be maintained in the backend system.


Scenarios for Role Integration

When using different SAP components, different scenarios for managing identities are possible.The following slides describe an example with the following components:

SAP Enterprise Portal ABAP based SAP SystemsDirectory Server

Scenario A:The administrators uses the UME to maintain users and portal role assignments Portal roles and related ABAP authorization roles are linked togetherThe system ensures that necessary ABAP authorization roles are assigned, too

Scenario B:The administrators uses the CUA to maintain users and role assignments Portal roles and related ABAP roles are linked togetherThe system ensures that necessary Portal roles are assigned, too


Scenario A: Role Maintenance

Enterprise Portal

Enterprise Portal


Development systems for customizing

Portal Role Maintenance

1

TransferRole Information

2

Transfer Role Information to CUA

5

Transport to productive systems

4

CUA

Authorization Role

Maintenance(using WP3R)

3


Scenario A: User Management based on a Directory

Directory

Enterprise Portal

CUA


User Maintenance

1

Portal Role Assignment

2

Authorization Role Assignment using transaction

WP3R

5Synchronize User Data

3

Publish Role Assignment

4

LDAPsynchronization

ALE ALE

Persistencestore

Users get roles in backend systems

6


Scenario B: Role Maintenance

Role - Group Assignment

5

SAP backend AuthorizationRole EQUALS Group in the

Enterprise Portal !

Enterprise Portal

Development systems for customizing


CUA

Authorization Role

Maintenance(using PFCG)

3

Transport to productive systems

4

Maintain auth. role templates for the Portal

2

Persistencestore

Portal Role Maintenance

1


Scenario B: User Management based on the CUA

Enterprise Portal


CUA

User Maintenance

1

Role Assignment

2

ALE ALE

Persistencestore

Users get authorization roles

in the backend systems

Users get groups and indirect roles

in the Portal

3

SAP backend AuthorizationRole EQUALS Group in the

Enterprise Portal !


Agenda




Summary


Central Person (ABAP)

CentralPerson

…

NameIdentificationAddresses

User Management

R/3 User Account

Portal User AccountAdd. Attributes

IdentityAdd. Attributes

Personnel Administration

Terms of Employment

Employee

Add. Attributes

CRM

Customer Data Sets

Account

Add. Attributes

CentralAttributes

Organizational Management

Position 1

Unit B /Faculty B

Position 2 Position 3

Unit A /Faculty A

Company/University

Holder


Identity Provisioning – Big Picture

SAP HR

SAP CRM

LDAPDirectory

J2EE Engine

ABAP System

ABAP System

SAP Web AS ABAP+Java

J2EEEngine

IdentityModel

Central Identity Management

Provisioning

OutboundInbound

Data Sources for Identities

Target Systems for Provisioning

Non-SAP SystemNon-SAP

System

Partner Provisioning

SystemProvisioning

Interface (SPML)


Agenda




Summary


Summary

SAP leverages various user persistence store options.

SAP allows for roles and authorizations with appropriate strength.

SAP further enhances its Identity Management features and functions.

SAP will develop its own solution for the external user account provisioning application (for SAP and non-SAP applications) based on NetWeaver.

The existing applications (User Management Engine / Central User Administration / Directory Integration) will be an integralpart of the new solution.

Customers who use these applications follow exactly the recommendation of SAP.


Public Webwww.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform SecuritySAP Customer Services Network: www.sap.com/services/

Related Workshops/Lectures at SAP TechEd 2005AGS351, User Management and Authorizations – The Details AGS103, Identity Management – Streamlining the User Provisioning Process

Between HR, LDAP, and CUAAGS104, SAP MIC Tool – SAP NetWeaver in Support of Sarbanes-Oxley

RequirementsAGS105, Security PrimerAGS201, Sarbanes-Oxley Compliance – Challenges and BenefitsCD261, Using Authorizations in Java Application Development

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960

Further Information (Boston)


Public Webwww.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Developer Network: www.sdn.sap.com SAP Netweaver Platform SecuritySAP Customer Services Network: www.sap.com/services/

Related Workshops/Lectures at SAP TechEd 2005AGS104 SAP MIC Tool – SAP NetWeaver in Support of Sarbanes-Oxley RequirementsFri, 9:15 a.m. – 10:15 a.m., L3

AGS106 Virus Scanning of Documents in SAP Applications Thu, 6:00 p.m. – 7:00 p.m., L3

AGS200 Increasing Infrastructure Security by using Application GatewaysFri, 10:45 a.m. – 12:45 p.m., L4

AGS202, Security in SAP Internet Transaction Server (ITS) Landscapes Fri, 11:45 a.m. – 12:45 p.m., L3

AGS350, Configuring J2EE & SAP NetWeaver Portal UME Authentication Thu, 2:15 p.m. – 4:15 p.m., H2

Further Information (Vienna)

Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960


SAP Developer Network

http://www.sdn.sap.com/

http://www.sdn.sap.com/


Questions?

Q&A

[email protected]

URL: http://service.sap.com/security


Please complete your session evaluation.

Be courteous – deposit your trash, and do not take the handouts for the following session.

Feedback

Thank You !


Appendix


Comparison of Authorization related Objects

Users

Collection of Users or

Authorizations

Collection of Authorizations

Authorizations

CompositeRole

CompositeRole User GroupUser Group User GroupUser Group

ABAP RoleABAP Role User GroupUser Group UME RoleUME Role

AuthorizationsAuthorizations J2EE SecurityRole

J2EE SecurityRole ActionsActions

ABAP J2EE J2EE

AuthorizationsAuthorizations J2EE SecurityRole

J2EE SecurityRole ActionsActions

ABAP RoleABAP Role User GroupUser Group UME RoleUME Role


SAP J2EE Security Security Models

J2EE supports two different security modelsDeclarative security (Standard J2EE Security Roles)

Access control linked to the resource (executables)Decouples access control from application logicEasy to implement and maintain

Programmatic security (SAP specific Permission, Action, UME Role)

Access control within Java codeMore flexible but linked to application logicMore work to implement

SAP adds its well known role concept to J2EE applications

Java programs reuse business services in ABAP and inherit the ABAP authorization concept


J2EE Role Concept (Example) – Declarative Security

EJBe.g. Java program to

display / maintain something

Method:change

Method:display

J2EE Security Role:Change

J2EE Security Role:Display

User1 User2

JAR

EAR

User Group:CHANGE

User Group:CHANGE

User Group:DISPLAY

User Group:DISPLAY


UME Role Concept – Programmatic Security

Permission1 Permission2 Permission3

Action1Action2

Permission4 Permission5 Permission6

Action3Action4

Application1 Application2

UME Role 1 UME Role 2

User or Group User or Group


Presentation Layer

Database Instance

Java Schema

ABAP Schema

recommendedConnectivity between ABAP and Java

EJB

Open SQL

Web Dynpro

Business Layer

Persistence

FunctionBAPI

Open SQL

Web Dynpro

JCo

ABAPJava

ABAP and Java together

Business relevant authority check based on ABAP roles

Business relevant authority check based on UME roles

Program flow with authorization checks in both ABAP and Java


Copyright 2005 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Session ID: AGS101 User Management and Authorizations · PDF fileIdentity Management with SAP...

Documents

Transcript of Session ID: AGS101 User Management and Authorizations · PDF fileIdentity Management with SAP...