Tips & Tricks for a full scaleIdM implementation

IT and Cloud Management -> Security, Identity Management and Single Sign-On

SAP D-Code Berlin 2014 Exclusive Presentation Ani Nenkova

IdM Lead Consultant

Todor PetrovSolution Architect

About Coca Cola Hellenic

• Largest bottler of The Coca-Cola Company in Europe

• Serving 585 million people in 28 countries

• Product portfolio comprises of 136 brands

• Sustainable growth and market leadership strategy

• Innovative and cost-effective IT strategy with highest security standards

• SOX ITGC compliant

“WE STRIVE TO BE A BENCHMARK BUSINESSPARTNER, ACCELERATING VALUE CREATION& COST OPTIMIZATION, AND SUSTAININGCCH AS A SUPPLIER OF CHOICE THROUGHFAST DELIVERY OF SIMPLE, INNOVATIVE ANDCOST EFFECTIVE SOLUTIONS AND SERVICES.”

Coca-Cola Hellenic geographic footprint

Before SAP IdM implementation

• User access requests were manually initiated by the Line Manager of the respective employee

• The old self service solution was internally developed and integrated with the ticketing platform of CCH - Magic BMC

• The process was based on manual processing of tickets

• Approved access was granted manually in each individual system

Pre-defined

SAP Roles or

comments for

other systems

Country SAP Authorization Matrix

Approval and

SOD check of

User Access Manual assignment of

the roles by CUA Team

Pain points of the old implementation

• The access to systems and data for all centrally supported applications (SAP, Active Directory, Internet, RSA, Magic, Lotus Notes, etc.) was managed manually by IT operations, Central User Access Team (CUAT)

• The number of queries related to user access was between 7 000 and 8 000 requests per month, which increased the risk for quality of service and security breaches

• There was no central repository for managing all access (SAP and non-SAP ), which limited the reporting capabilities and transparency of the current user access

• The old approach did not guarantee timely removal of obsolete access rights, which automatically led to risk of audit findings and increased license costs

• No automated user access processes based on HR actions like Hiring, Termination, Long-term absence, Position change, etc.

SAP IdM @ CCH

• SAP IdM was introduced in November 2012 with pilot countries Romania & Moldova

• Currently the implementation spreads to 21 countries with approx. 38 000 internal and external employees

• The solution will be rolled out in all 28 CCH countries until March 2015

HCM IdM

SAP Portal / BPM

CUA MAGIC RSA LN AD

User access workflow

HCM

IdM

Self-service

Manual

Automatic

HR actions

BPM

initiate process

AutomaticProvisioning

GRC checks

Approvals

ManualProvisioning

Auth.Matrix

SAP Portal

Benefits of the new implementation

• Automated workflow process and automated user access management based on HR actions and self-service requests with pre-defined SLAs

• 40% of previously manual requests are fully automated

• SAP IdM acts as a central repository for any user access (manual and automated applications)

• Improved security and compliance with regards to SOX ITGC regulations

• Significant decrease in the license costs due to prompt de-provisioning/locking of terminated/locked users

• Introduce validations and quality checks for mass access changes

• Improved monitoring and transparency of the authorizations assignment process

Challenges of the new implementation

External Users Add-on for SAP IdM

1. Create/maintain users manually in IdM UI *2. Using a scripted job or task in IdM3. CSV file upload with job and script4. External Users Add-on

Maintain external

users information

Integrate external users in existing IdM processes

Creation / Sync of external

users

• All-in-one management cockpit for external users

• Complex search capabilities

• Open to integration with any 3rd party system

• Asynchronous sync to IdM (similar to HR)

• Permission based access for different organizational structures

Mass Upload Add-on for SAP IdM

1. In IdM UI mass access changes for 1 user2. Using a scripted job or task in IdM3. CSV file upload with job and script *4. Mass Upload Add-on

Integrity check of

users

Apply mass changes in IdM

Validation of input

data

• Validation of input data

• Easy manipulation of already imported records

• Template based changes

• Asynchronous processing of requests

• Supported actions

– Assign/Unassign permissions

– Lock/Unlock users

– Creation/Termination of users (global and per system)

Authorization Matrix Add-on for SAP IdM

1. Create BRs manually (console and IdM UI)2. Hard coded IdM scripts running in jobs3. CSV files upload with temp tables *4. Authorization Matrix Add-on

Creation and update of business

roles

Reconciliation of user accounts

Validation and load of

authori-zation data

• Validations and integrity checks against IdM

• Versioning of uploaded matrixes

• Flexible definition of business role keys

• Seamless integration with IdM standard provisioning flow

• Possibility to create context-dependent business roles

• Multiple parallel loads for different organizational structures

Self-service Add-on for SAP IdM

1. Using standard self-service from IdM *2. Using custom developed UIs using IdM tools *3. Custom Self-service UI with IdM process *4. Custom Self-service UI with BPM process

Complex assignment rules and approver

levels

Full traceability of actions and assignments

Single process for manual and automatic

apps

• Allows for complex process flows and state-of-the-art user interfaces

• Full traceability and monitoring of the user access process

• Seamless integration with any 3rd party system incl. SAP GRC

• Supports manual and automatic applications

• Improved access control

Other Add-ons for SAP IdM

• Integrity Check Report

– Compare all your target systems with the master IdM data. Differences in permissions, names, addresses, etc. across systems are very easy to be recognized with this add-on

• Password Self-service

– One stop UI for password reset to all systems connected to IdM. Additional part of the add-on include forgotten password reset and admin UI for resetting users

• Notifications

– Easy maintenance of notifications in different languages and for different events in IdM

• Substitutions

– Replacement UI for the standard UWL inbox substitution with much more intuitive interface and extended functionality

Feedback is appreciated!

Ani Nenkova

ani.nenkova@cchellenic.com

Todor Petrov

todor.petrov@ibsolution.bg

Please take some time to evaluate our session with ID: ITM237