THE BUCHAREST ACADEMY OF ECONOMIC STUDIES [303348]

[anonimizat]’s Degree: IT&C Security

DISSERTATION THESIS

Scientific Supervisor Degree Candidate

Prof. [anonimizat]

2016

[anonimizat]’s Degree: IT&C Security

DISSERTATION THESIS

SECURE SAP APPLICATIONS

USING SAP IDENTITY MANAGEMENT

Scientific Supervisor Degree Candidate

Prof. [anonimizat]

2016

Table of contents

Chapter I – [anonimizat]. [anonimizat]. Moreover, the days in which a person would keep a certain job for a great number or years are long past. [anonimizat]: [anonimizat]. SAP, one of the world’s leading business software companies has developed a platform used to run every SAP application (ERP, BW, HCM).This new technology is called SAP Netweaver and is the base implementation of all core processes used inside a large company. As we live in a [anonimizat].

Managing users in heterogeneous IT landscapes presents many challenges for organizations. [anonimizat]. This complexity is compounded by regulatory requirements mandating that organizations track who had access to which applications at what time.

Identity management is becoming a significant challenge for organizations today. You must ensure that your users have the right access to a multitude of applications in a [anonimizat], and that access to corporate assets is compliant with corporate policies as well as legal regulations.

This has lead to the development of a market for solutions which offer companies ways in which to securely manage their employee user account in a centralized fashion.

Management of identities represent a challenge for most organizations today: [anonimizat]. The user must must authenticate to systems to get access to the many applications within the organization. [anonimizat] (Customer Relationship Management) systems, the HR (Human Resources) system, databases, directories, physical access control systems, e-mail systems and support systems..

[anonimizat] I [anonimizat] –SAP NetWeaver Identity Management. SAP Netweaver Identity Management software is a tool used to manage user access, provide user access according to current business roles, and manage passwords with self-service capabilities and approval workflows. I will further discuss about technical considerations of SAP Systems.

I.1 SAP NetWeaver Overview

In 2004, SAP has developed a platform used for every SAP software application. These has been named SAP NetWeaver technology platform. SAP NetWeaver became the primary technology computing platform and foundation for many SAP applications. SAP NetWeaver Application Server is the result of development of the SAP Application Server Technology (also previously called : SAP Basis), whereby special attention is paid to web-based applications. SAP NetWeaver offers extensive capabilities (such as Business Warehouse), which are all based on the application platform. As described in the following chapters, the SAP Systems can be installed on almost all types of hardware platforms, databases and operating systems .These functions provide a set of tools like Portal, Business Intelligence, Process Integration (PI/XI), etc.

I.2 SAP Application Server Architecture and Clasification

The SAP NetWeaver Application Server represent the core of SAP software stack. It also provides a platform for other NetWeaver components (Portal, PI, and so on), as well as for ABAP and Java applications.

An SAP system is formed of application server, as well as one or more databases.

In a SAP System there is a central instance that contains an equeue server and a central instance. A dialog instance consists of the following components:

Internet Communication Manager (ICM) that sets up the connection to the Internet. It can process both server and client Web requests. ICM is working on HTTP, HTTPS, and SMTP.

Dispatcher distributes the requests to ABAP work processes. When all the processes are occupied these requests are stored in a queue.

Workprocesses runs both ABAP or Java programs.

Gateway makes the RFC interface between the SAP

Message Server exchanges messages and load-balancing SAP system.

In JAVA component of the SAP NetWeaver AS there are also components Java Dispatcher,  Server Process and Software Deployment Manager .

The graphic below shows these components:

Figure I.1 – Architecture of SAP NetWeaver AS

Clasification

There are 2 options for the SAP NetWeaver AS:

ABAP System :In picture above these are the components in the blue box on the left .

Java system: In these are the components in the green box on the right .

The architecture of SAP Web Application Server can be separated into 5 layers,three of them being most representative as in picture bellow:

Presentation layer .Here, user interface is developed with the help of  Java Server Pages (JSP), Business Server Pages (BSP), or  Web Dynpro technology.

Business layer consists of a JAVA  certified run-time environment that processes the requests from (ICM) and dynamically generates the responses. The business logic can be written either in ABAP or in Java .

Integration layer  is an integral part of SAP Web AS and allows instant connection to SAP XI which is currently called as SAP PI.

Connectivity layer is made by ICM who dispatches user interface requests to the presentation layer

Persistence layer. The persistence layer supports database independence and helps transaction to be scalable.

Figure I.2 – SAP Web AS layers

1.3. Central User Administration (CUA) , Governance, Risk, and Compliance (GRC) and SAP NetWeaver Identity Management (IDM)

Central User Administration (CUA)

User information is stored in a specific manner in SAP systems. Using central user administration (CUA), administrators can maintain user master records centrally in one system. CUA distributes changes automatically to the child systems.

Distribution of the data is based on a functioning application link enabling (ALE) landscape. Data is exchanged in a controlled manner and is kept consistent.

In an ALE integrated system union, SAP and non-SAP systems can communicate. The systems linked to each other are called logical systems. The logical systems in the context of CUA are, in this case, the clients involved. That is, a single SAP system can house multiple logical systems in terms of ALE (and CUA). Data exchange in an ALE integrated system is performed by exchanging intermediate documents (IDocs) by Remote Function Call (RFC).

An ALE system group is used by central user administration to distribute user data between a central system and child systems linked by ALE.

I have presented a solution used to centrally administrate users in a SAP environment. However, from the perspective of their software users, comes with a number of serious issues such as:

-long time to become productive – a new employee will typically start off with temporary accounts and the entire process of requesting and setting up their permanent user accounts is a very long and arduous process in an heterogeneous IT landscape. Therefore, a long time may pass before a new employee truly becomes productive

-manual steps required to to get access – the new employee may need to spend a lot of time researching what permissions and account are needed for the job, and then proceed to manually request them. Employees may need to update their own permissions if their responsibilities change.

This is not only a significant time-sink but also leaves room for a lot of errors and security risks.

– no de-provisioning of authorizations – if an employee moves to another department or leaves the company, the process to delete the users and permissions they have acquired during their employment throughout all the software solutions the company owns may take a lot of time and manpower. As a result, this task may be overlooked altogether, creating audit exposures, security risks and leave a large number of unnecessary records in the databases.

– audit and security issues – No complete audit trail is available and enforcing rules that respect audit regulations becomes troublesome. There is no way to track what users have access to which IT resources. Preventing unauthorized access in multi-enterprise environments is close to impossible.

– multiple sources of identity data

– labor-intensive, sometimes paper-based approval systems

This paper proposes to outline a valid solution for medium to big sized companies to successfully manage their SAP users in a centralized environment, while ensuring that all security, audit and legal regulations are followed. The solution also aims to reduce operational costs in complex system landscapes.

This is why I will further discuss about two more solutions that are able to meet the following requirements:

-a single central portal to manage users not only in SAP, but also non-SAP applications regardless of the individual data stores

– Ability to seamlessly integrate with the company’s business processes

– Centralized reporting functionality to address compliance and auditability concerns, ensuring that user access is auditable across the entire IT landscape. Offer an extensive audit trail and logging.

– Password-reset and lost-password management functionality for end-users access across the entire IT landscape

– Built-in connectivity with an HR management solution

– Ensure consistent user roles and privileges

– Verify and cross-check user permissions in order to make sure that the employee only has access to the systems and data that they require to perform their job.

Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance, also referred to as GRC is used to describe the processes and software that run the business world. GRC organize policies and controls in place to address all its obligations. GRC follow what is being done in a company and communicates when risks appear .It does offer the following advantages:

Compliance checks / GRC : The integration GRC offers extensive functions for assuring compliance and segregation of duties in the role and authorization assignment process.

Definition and Rule-Based Assignment of Business Roles: Define different rule sets for the assignment of roles to users. This means that the assignment can be performed automatically based on attributes of the identity.

SAP Audit Management allows auditors to provide reliable information on risk and the adequacy of management responses. It drives increased efficiency and effectiveness into the audit process, and provides a foundation for an integrated risk management approach. Main capability used for integration with IDM is GRC Sarbanes-Oxley (SOX) capability introduced for  major regulatory requirements for corporations who demanded a managing tool for  their financial practices and  governance.

Organization are now demanded  to regularly check  risks that arise from users allocated access to different  SAP systems and business roles. GRC scope is to remediate those access risks by mitigating controls. SOX check is used both when users are created into SAP Systems as well as for  periodically checks that are  involving schedule of periodic reviews of users’ access, controls, risk violations, role assignments and risks.

SAP NetWeaver Identity Management

SAP NetWeaver Identity Management is now the strategic recommendation of SAP for managing users across SAP systems because now it does offer the following advantages:

Central Identity store: The central store consolidates identity data from different source systems and then distributes this information to the target systems.

Approval Workflows: Workflows distribute the responsibility for authorization assignments to the different business process owners and managers.

Identity Virtualization / Identity as a service: The data within SAP Netweaver identity management can be accessed using services and standard protocols such as LDAP.

SAP Business Suite Integration: The integration of HCM as one of the possible source systems for identity information is a key functionality for enabling business-driven identity management.

Monitoring and Audit: Provides auditors with one central place to check employee's’ authorizations in all systems. This information is also available for the past.

With SAP NetWeaver Identity Management, SAP offers integrated identity management capabilities for a heterogeneous system landscapes (SAP and non-SAP software), driven by business processes.

Chapter II – Security Aspects of SAP NetWeaver

SAP systems security is important because interest in SAP platform security has been growing among security researchers, but also among zero-day exploit buyers and sellers. Security issue can be seen starting from the operating system level, moving on to the database, network and communications security, up to layer three, application SAP combines these security aspects, so that the overall IT scenario is protected against all types of threats. For this to be accomplished, almost all the common, proven security mechanisms and protocols are used.

Based on the above logical diagram we can follow a user addition to a SAP Enterprise.

Resource Planning (ERP for short) and SAP Business Warehouse system ( BW  for short) and checks made on SAP Identity Management ( IDM for short) and SAP Governance, Risk and Compliance (GRC) in order to easily add and further maintain user, as well as make taken actions audit worthy in the required systems. As we can see in this diagram, user addition in a SAP system begins with onboarding process were employee data (first name, last name, phone number, address) is added to HR systems.

The Identity Center Workflow module has a web-based portal for both registrations and approvals and makes use of the Identity Center provisioning module for performing the given operations, including the approval process. From here a IDM workflow is activated and a notification is sent to his direct manager whether  to approve or disapprove the request. Which attributes to prompt for, which attributes are mandatory as well as what other information to show can be configured from the Identity Center user interface.

In a more advanced scenario, any member of a given group may be allowed to do approvals. There may also be several approvals, which must all be performed before the provisioning takes place. For example, the department manager may approve the title of the user, while the mail administrator will define the mail server and define the storage quota for e-mail.

Let’s take for example the primary situation were a manager is approving a request arrived via email. After an employee manager is approving a request, this arrives in IDM and workflows are engaged. Primary check made by a IDM solution is what type of solution provides targeted SAP System .

If it is a Business Warehouse (BW for short), only manager approval is required in order to add technical roles for a user in System. For an ERP system, we can see that in order to add  user permissions, both manager approval and SOX administrator approvals are needed. The process is as follow: employee direct manager receive a workflow that he must approve via email in order to process the request further on. After his approval, in this case, user requested authorizations are processed in a Governance and Risk Compliance system. This system has been designed to work together with IDM for audit purposes.

In a GRC system, administrator receive the request in a portal were he can see what technical roles are to be added to employee business role and makes sure that there is no compatibility issue between them. If incompatibilities are discovered, SOKS administrator has the take the decision if those roles are involving segregation of duties and assigned roles will make SAP system fail to pass auditing probes.

If he agrees that required technical roles are not affecting any audit activity, he goes ahead and manually approve them. The administrator will approve (or reject) the user registration and possibly supply additional attributes. After both manager and SOKS administrator have approved this request, a workflow for user provisioning in requested SAP system is generated.

The provisioning module will create the user within the given applications, based on attributes the HR department has entered, such as location and department. Finally, the user is informed by e-mail or SMS that the account has been created. For the other case where direct manager or SOX administrator are disapproving the request, user provisioning is dropped. For BW systems only direct manager approval is needed in order to drop user addition process. For ERP systems both direct manager and SOX administrator must approve the request. If just one of them does not validate the request, the workflow is dropped also.

II.1 Manage Identities in SAP NetWeaver

When SAP system transactions are engaged, a large number of Authorization Objects are often checked. In order to execute transactions the user in question must have the adequate authorizations. It also leads to an increased maintenance workload. The generated profiles are not always complete, meaning that we may have to add authorizations that are not contained in the profiles manually.

To simplify the administrative tasks we can consider reducing the scope of the authorization checks in cases such as this using SAP Identity Management which will be discussed in more detail in chapter 4.

II.2 SAP NetWeaver Authentication

Authentication protects the confidentiality, integrity and availability of the information flow. Authentication in SAP represent the process of establishing and verifying the identity of a person or a system as a prerequisite for allowing the person or system component access to an SAP NetWeaver server system.

Network infrastructure is extremely important in protecting SAP systems. Network must support the communication necessary for business without allowing unauthorized access.

A well-defined network topology can eliminate many security threats based on software flaws (at both the operating system and application level) or network attacks such as eavesdropping.

If users cannot log on to your application or database servers at the operating system or database layer, then there is a very small possibility to compromise the machines and gain access to SAP directories.

Use of a SAP Web Dispatcher enables customers to conceal the host name and communications ports of application server. URLs include the host name and port of the SAP Web Dispatcher.

II.2 Authorization concepts in SAP NetWeaver AS Java

The Application Server Java (AS Java) enables features for ensuring its robustness, scalability, and supportability. Authorization checks are built into Java application. Access to an application is done using the check to see whether the appropriate JEE security role is assigned to the requesting user. If the user does not have the required security role, an error message is displayed, and access is denied.

This means in practice that the application determines which of the following, JEE security roles, UME permissions or UME ACLs, is used.

In principle, J2EE security roles can only be administered using administrator console. UME roles can be administered using Identity Management, and J2EE security roles are part of the J2EE standard while UME roles are an (SAP) extension of the J2EE security roles.

Authorizations checks can be defined with J2EE security roles and UME roles. However, it is easier to assign authorizations with UME roles.While J2EE security role comprises one object, UME roles many authorization objects (known as actions).

Permissions are defined in the Java coding.

They are used to provide an access control. Permissions cannot be assigned directly to a user.

An action is a collection of permissions. A Java application defines its own actions

and specifies the authorizations in an XML file <name of the application>.xml (e.g.

sap.com_TC~wd~dispwda.xml).

Actions are displayed in Identity Management. You can use Identity Management to combine these actions into (UME) roles.

A security role is an abstract definition that protects access to an application, a service, or another resource. The role consists of only a name and a description. The role relates only to the application for which it was defined. J2EE security roles allow an access check for J2EE applications.

A J2EE security role can be assigned either directly to users and/or groups or as a so-called reference role. Also administrator can manage authorizations by assigning roles in the corresponding access control lists (in Resource Management). These security concepts will be used in the case study presented in Chapter 4.

The following, final figure illustrates analogies between the authorization concepts in AS ABAP, AS Java, and the J2EE standard:

Figure II.3 – Comparison of the Authorization Concepts

II.2.1 AS JAVA SAP NetWeaver Portal

SAP Portal is the central point of accessing SAP and non-SAP sources, information repositories, databases, enterprise applications, and services inside and outside your organization – all integrated in a single user experience. SAP Enterprise Portal provides pre-assembled content bundled as business packages for completing business tasks.

SAP Portal plays a key role in SAP’s user interaction strategy to increase people’s productivity through innovative solutions.

Portal enables users from employees and customers to partners and suppliers to focus on data relevant to daily decision-making processes. SAP Netweaver Portal will be used for SAP NetWeaver Identity Manager implementation presented in chapter 4.

Chapter III – SAP NetWeaver Identity Management Overview

Identity management solutions covers the entire lifecycle of a user from on-boarding process to the termination of an employment contract. Without identity management solution, user-access management in an auditable and compliant way becomes labor intensive, repetitious and error prone. When an employee is hired, organization gives a specific set of permissions in SAP systems. Later, the employee may be promoted or his business role to be changed and so receives additional permissions. Another example is when, user receives roles for a short-term activity or while he is covering for a colleague on vacation. This is why an employee typically tends to obtain a series of privileges in time and often continues to have access that is no longer required for his actual role. This is, of course, a security risk. But it is also a potential compliance violation. Adding a new role might cause conflicting authorizations for the user. Finally, when the employee leaves company, the access that this user has may still not be revoked, perhaps even years late which represents a security risk to the organization. The conclusion is that for each stage, only a specific set of business roles and therefore technical roles must be assigned to the user. Users are assigned authorizations based on the job they perform using that system.

Figure III.1 –SAP Identity Management overall integration

SAP Identity Management is part of SAP security suite that includes access control as well as compliance aspects and secure programming. The solution covers the entire identity lifecycle and automation capabilities based on business processes.

Extensive connectivity with SAP and non-SAP applications extends identity management to all areas of the enterprise.

Figure III.2 –SAP Identity Management integration with SAP and Non-SAP appplications

Identity management is part of SAP NetWeaver and SAP's business process platform. It offers management capabilities for landscapes, and can be closely aligned with company-specific business processes. This translates into higher efficiency, a more secure landscape, and a lower cost of ownership. Among the advantages, we can count:

Support for sophisticated business roles definition and their administration and simplifies the structure of roles through dynamic role assignment based on user context information.

Figure III.3 – Technical role assignment based on business role

Enables the workflow-based requests for approvals.

Figure III.4 – Workflow for approvals

Support of LDAP directories and databases, as well as standards such as SPML

Figure III.5 – LDAP Integration with SAP IDM

Supports tight integration with SAP Business Suite 7.0

Identity management is part of SAP NetWeaver and SAP's business process platform. This translates into lower cost of ownership, higher efficiency, increases employee productivity. SAP NetWeaver Identity Management component helps managing this process centrally, across SAP  solutions. They will be discussed in the following chapters.

Figure III.6 – SAP IDM Integration with SAP Business Suite

III.1 Authorization concept for operating SAP NetWeaver Identity Management

Identity management can cover many different kinds of identities. Although primary scope for identity solution is to handle the organization’s employees, equally important is the handle of identities for customers and partners. For any organization to achieve a more efficient and secure management of employees accounts, an identity management solution is a prerequisite. This includes everything, from the initial steps of coordinating all accounts using directory services, to set up a workflow and provisioning system for distributed management of accounts

User information is stored in a specific manner in SAP systems. That is, every client in a system has its own, independent group of permitted users. Classically, users are maintained in the respective client. In complex landscapes, this task can easily become confusing. There may, therefore, be potential security gaps in user administration. This can result in large costs for consistent user maintenance.

Picture bellow describes in detail all the situations encountered by a person in a company while it gets hired,promoted,reassigned,got a new position or is substituted .

Figure III.7 – Personnel lifecyle

This chapter describes the SAP NetWeaver Identity Management product, which cover most of the core functionality for implementing an identity solution using a including a virtual directory. The figure below provides an overview of aspects of identity management. The distinction between the different areas is more blurred than the figure indicates. Below is a brief explanation of each of the areas. A deeper understanding has been offered for password management and provisioning logic .

Directory services are a prerequisite for the other parts of an identity management solution. Its purpose is ensuring identity store, the common view of all the identities. Building an identity store includes complex task of joining the identity information across numerous repositories within the organization and ensuring that the information stored about these identities is kept synchronized over time.

Identity Administration includes functionality for managing the identity information. There are two approaches for managing the identities: one is to use the existing infrastructure for this administration, using a combination of directory services/provisioning for distributing the accounts and the other one is to use a separate application for this purpose. Users can deal with a part of their own identity information (e.g. telephone number and other personal information).

Web Access Management covers ways for authentication and authorization of identities, as well as identity federation across domains. An important part of Web Access Management is the auditing function.

Auditing, Reporting, Logging, Monitoring are the low-level components of identity management solutions. Verifying operations, generating reports, producing and viewing logging information are the functional requirements.

III.1.1 Password Management

This topic represents an important part of identity administration. For most organization this is an expensive since it requires a help desk staff to respond to requests about forgotten passwords in different systems. A balance must be struck between secure password handling and simplicity for end users while maintaining security. The Identity Center includes a proprietary solution for resetting lost passwords.

Password management includes functionality for ensuring that the user's identifier and password remain the same across a number of repositories. It is also responsible for updating the password in all applications when a user changes the password. When users forget their password, there is a need for password resets, either by an administrator or by the user in question. This aspect will have a more detailed situation in the following chapter.

Figure III.8 -Password Management

III.1.2 Provisioning Logic

Provisioning is an advanced form of updating repositories other than just a directory services solution. The term provisioning is often used to user provisioning or account provisioning. The functionality includes creation of accounts, setting initial passwords, setting and modifying access rights, disabling (revoking) an account and deleting an account.

The overall purpose is to make sure an identity has the correct access to the applications. There are several motivations for an organization to embark on a provisioning project. The most common motivation is to reduce the cost of internal maintenance which can be obtained by automating the process of managing the accounts. In this way the temptation for the manager to pass business to a company with whom he/she has personal or family ties is avoided.

In the provisioning module of the Identity Center it is possible to define a hierarchy of tasks, starting with very basic tasks such as creating an account and setting the account attributes.

Figure III.9 -Provisioning task structure

More complex tasks can be built, including tasks that operate on several repositories. Tasks can be defined to run in sequence or in parallel.

For each task, error-recovery tasks can be defined, as well as confirmation tasks, which for example can send an email or SMS message when a task is completed.

Persistence plays a key role in the provisioning module. There will always be situations where temporary failures occur, such as network failures or power glitches.

Since the SAP NetWeaver Identity Management products uses a reliable relational database for storing the identity information, as well as all provisioning tasks and the state of each of these, it will always be possible to recover from such failures. Scalability is another important issue.

The provisioning module is limited only by the performance and size of the database and the processing power.

The provisioning module stores all logging and audit information within the database and this information is made available through a web application. In addition, any report generator can be used with the database, to produce any report required.

III.2 SAP Identity Management Architecture

A different way of viewing the identity components is to look at this layered architecture.

The lowest layer contains the existing applications and the next layer, the Data Services layer, contains the identity store. The proper functioning of all the other identity management applications depends on the identity store.

Figure III.10 -Identity management architecture

Applications & Repositories. All existing ICT infrastructure in an organization, including the data repositories and the applications/interfaces that are used to access them. These may be business applications of various kinds containing customer and product information; specific applications maintaining identity data, such as human resources applications; or applications used to maintain other types of information, such as document management systems.

Data Services. The Data Services layer builds a uniform, normalized, integrated view of the Applications & Repositories layer. This is achieved through services/functions such as synchronizing, joining and publishing data and providing access to data. The Identity Store is a core component of the Data Services layer. It is used to gather information about all identities throughout all applications in the organization. In many cases, the identity store may also be implemented using Virtual Directory Server.

Identity Services. This layer consists of the services that are offered on the bases of the Data Services layer. These include provisioning, authentication, authorization and virtualization.

Identity Applications. This layer consists of all applications using the Identity Services. This may be the identity-management components of existing applications, as well as functions such as workflow, federation, single sign-on and self-services.

SAP NetWeaver Identity Management has a strong presence in the identity management space, as shown in the below.

Figure III.11 – The SAP NetWeaver Identity management products

III.2.1 SAP Identity Center (IC)

The architecture of the Identity Center is designed to provide maximum flexibility, scalability and security in a single software solution. This allows identity management across multiple applications and databases both within the organization and in an extranet environment.

The Identity Center manages all of its activities from a core database and supports both Microsoft SQL Server and Oracle. All components in the solution interact with the database to ensure that all identity management activities are properly executed.

Figure III.12 -Identity Center Architecture

The Identity Center consists of the following components:

IC database. All information about provisioning/workflow tasks and jobs, the identity store, scheduling information, state information and audit/logs is kept in this passive store.

For my implementation I have installed an Oracle database 11g and Oracle Client.

Dispatcher/Runtime engine. These components act as local or remote agents for the Identity Center and are responsible for processing both provisioning and synchronization tasks.

Service/Event agent. An event agent can be configured to take action based on changes in different types of repositories such as directory servers, message queues or others. The event agent will detect changes and submit information to the Identity Center. The dispatcher will then initiate execution of a given job. This mechanism is optional and its only purpose is to initiate synchronization based on changes in repositories in addition to the scheduled operations.

Workflow UI. The Workflow web interface is used for all end-user registration/self service, password resets and approval of tasks.

Monitoring UI. The Monitoring web interface is used to provide an overview of the system status, audit and logs during daily operations.

Management console. The Design user interface is used for configuring the Identity Center, including provisioning/workflow tasks and jobs.

Identity Store

One of the core functions of an identity management solution is to build a central repository containing the identity information – the so called Identity Store. The data in the Identity Store is located in the Identity Center Database.

The Identity Center is also responsible for provisioning identity data into various connected systems (so called consuming systems) and also retrieving identity data from systems (so called leading systems). It uses a relational database for the configuration data, logging and status information, as well as for the identity store and all provisioning and workflow states.

Any organization depends on the identity information for authorizing entities (for example employees, partners, customers and applications) as well as for authorizing access to applications.

The actual identity information, in addition to the unique identifier for the entity, consists of a number of attributes, including the user password or pass phrase used for authentication, the white pages information (telephone number, address, e-mail address, etc.), access control information, and possibly a great deal more.

A strong authentication mechanism (for example using biometrics) is of no use if the identity information is not updated.

A directory server is a good choice for publishing the information, as it offers a standardized way of accessing the information, using the LDAP or the DSMLv2 protocols, which both are on-the-wire standards. In addition, the Virtual Directory Server can be used to give a different view of the same data to different applications or users, as well as retrieving real-time identity information from any type of repository.

Figure III.13 – VDS Syncronization with Identity Store

The Identity Center has been using a relational database for this purpose for several years. A relational database has several features which are useful for holding the identity information. These features, for example foreign keys and column constraints as well as triggers and stored procedures, are normally lacking from a directory server. Any report generator can also be run on a relational database. The directory services will ensure that the identity store is synchronized with the various repositories and applications within the organization, while the various attributes for the identities may be owned (managed) by different applications.

III.2.2 Data Synchronization Engine

The Data Synchronization Engine is responsible for any low-level operation on the applications and repositories. It runs as part of the Identity Center. The Data Synchronization Engine is based on creating jobs that consist of passes. Each pass in a job performs one specific task, such as reading from a data source (known as From-passes), or writing to a data source (known as To-passes).

The Data Synchronization Engine reads from a repository using one of the Frompasses. The data from all from-passes is stored in the internal database and joined when writing to the target repositories. A change-log can be used when reading data, to ensure that only updates are read. The delta mechanism can be used both when reading and writing, to reduce system load, and speed up the process.

The Data Synchronization Engine can also manipulate attributes when processing data or combine data in all conceivable ways, using the SQL engine of the database. Note that the Data Synchronization Engine is non-intrusive, and is not limited to writing data to a directory.

It may just as well be used to synchronize from a text file into an Oracle database, as synchronizing from an XML source into a directory server. Also note that the Data Synchronization Engine does not require any modifications in the existing repositories.

Figure III.14 – Data Syncronization Engine architecture

III.2.3 SAP Virtual Directory Server (VDS)

A virtual directory provides the organization with real-time access to the identity information, as well as to other critical information, by providing a single access point to all information.

The Virtual Directory Server can also be used to control access to the identity data. It is able to present the same data in different ways to different groups of users. It can also be used to write-protect or hide certain attributes, for example when making information available externally.

SAP NetWeaver Identity Management Virtual Directory Server can logically represent information from a number of disparate directories, databases, and other data repositories in a virtual directory tree. Different users and applications can, based on their access rights, get a different view of the information.

Features like namespace conversion and schema adaptations provide customers with a flexible solution that can continually grow and change to support various demands from current and future applications and demands for security and privacy without changing the underlying architecture and design of data stores like databases and directories.

Figure III.15 – Virtual Directory Server

The Virtual Directory Server includes the following features: combine disparate data sources in a virtual directory tree, extensive server configuration possibilities, schema adaptations, attribute value modifications, namespace conversion, access to data sources using Java classes, caching of search results.

The Virtual Directory Server is not limited to reading information, but can also update the repositories, which has proven useful in PKI scenarios. When publishing certificates (or other information) there may be a need for analyzing the information, and taking some action based on the information before it is stored. The same information may be stored in several locations for simpler access from the applications.

III.3 OData Protocol

OData, short for Open Data Protocol, defines a protocol for the querying and updating of data utilizing existing Web protocols. OData is a REST-based protocol for querying and updating data and is built on standardized technologies such as HTTP,Atom/XML, and JSON. It is different from other REST-based web services in that it provides a uniform way to describe both the data and the data model.

It is considered to be a flexible technology for enabling interoperability between disparate data sources, applications, services and clients.

OData (Open Data Protocol) is an OASIS standard that defines the best practice for building and consuming RESTful APIs. OData helps you focus on your business logic while building RESTful APIs without having to worry about the approaches to define request and response headers, status codes, HTTP methods, URL conventions, media types, payload formats and query options etc. OData also offer guidance about tracking changes, defining functions/actions for reusable procedures and sending asynchronous/batch requests etc. Additionally, OData provides facility for extension to fulfill any custom needs of your RESTful APIs.

Chapter IV – SAP Identity Management Implementation

In this chapter I will present implementation of SAP Identity Management. This is formed by Identity Center console which is running on a Oracle Database 11.2.0.1.The connection between Oracle Database and Identity Center is made through Oracle client. The installation kit for 32-bit was downloaded from SAP marketplace and installed on the same server on which Identity Center is running.

After installing and configuring Oracle Database, Client and Identity Center on same server( hostname is called netweaver) another installation of DB2 database on a different server is required for SAP Identity Management Portal installation.

This database is installed on a Linux platform ( hostname is called pleistoros ) on top of which I have installed SAP Identity Management from where we can administer users later on. Before users be administrated from the console, configuration and synchronization jobs needs to be created in SAP Identity Management.

I will now continue with the installation of Oracle database and provide an explanation for required steps in order to set the application.

IV.1 Identity Center Oracle database and client installation and configuration

As stated before we need to install a database on which Identity Center will run. Database can be any of the accepted databases ( Oracle , IBM DB2, Sybase or MSSQL).

I’ve decided to install this database as it is a common met database. Installation was made by executing install script from Oracle executables.

Figure IV.1 –Oracle installation

After installation succeded I have ran catproc.sql and catalog.sql in order to prepare database for Identity Center install scripts.

Figure IV.2 –Oracle configuration

After Oracle configuration took place I have installed Oracle client that will act as an agent between Oracle Database and Identity Center console.

Installing the Database Client

The Oracle client should be installed and configured on all servers connecting to the Identity Center database. In presented case ,Oracle client is installed only on netweaver server.The client software is part of the Oracle database installation package. For Oracle 11, the 32-bit client must be downloaded separately.

Figure IV.3 –Oracle Client Installation

After installation of Oracle Client got completed, a TNS connection to the Identity Management Oracle Database should be configured.This connection is needed in order to manage to login to Identity Center .This configuration is made through NetManager assistant as presented in picture bellow.

Select Start -> Programs -> Oracle -> Configuration and Migration Tools -> Net Manager.

Figure IV.4 –TNS configuration

After TNS has been configured correctly, a connection test must be performed .

Figure IV.5 –Connection test TNS

After Oracle database, client and TNS were configured, an installation script which include SQL to create database users and roles from Identity Center Database is used .

Table IV.1 –Identity Center installation scripts

As Oracle database is installed on Windows 32 bit platform mxmc-install cmd is ran. At installation is asking for database system user and the passwords for the Identity Center.

Figure IV.6 –Identity Center database installation

After Identity Center configuration database was installed, a test must be performed to make sure that users have been added with required authorizations.

In order to check OPER users we need to run the command file mxmc-test.cmd located in same directory as installation cmd.

The result of the command file is a list of OPER users for each database.

Figure IV.7 –List of IC database operators

Enable the 7.2 Approval Mechanism on an Identity Center Database

Approval mechanism of Identity Center is required for SAP Netweaver 7.2 in order to connect to Oracle database via Identity Console.

In the same directyory with installation script mxmc-enable-72-approvals.cmd is located.On installation script is asking for mxmc_oper and password .

IV.2 Identity Center Management Console installation and configuration

In my implementation Identity Center is installed on Windows platform together with

Oracle database and Oracle client.

Figure IV.8 –Identity Center management console installation

The wizard leads through the installation. Default values were kept during installation.

Java Runtime Environment for Management Console is required to be configured

Figure IV.9 –Management console configuration

Path for JDBC drivers was obtained by providing Oracle installation directory.

When has completed I have started the configuration of application: double click on Identity Center icon. The Keys.ini file will be referenced on Identity Management Portal alter on.

Figure IV.10 –Encryption keys generation

After a set of encryption keys were set for SAP Identity Management, I have added the Identity Center database : right click on SAP Netweaver Identity Management:

Figure IV.11 –Identity Center database configuration in management console

After initial configuration for database was added ,an Oracle Database connector is needed.Wizard offers a completed guide on how to add this connector as in bellow picture.

Figure IV.12 –Identity Center connection wizard

I have defined Oracle Provider for OLE DB in order to connect to database.

Figure IV.13 –Configuration for Oracle Provider OLE DB

When accesing configuration menu for connector , mxmc_rt and mxmc_admin users and their passwords created by Identity Center installation script earlier on are required .

Figure IV.14 –Configure OLE DB connection

Figure IV.15 –Identity Center wizard finished

After database has been added to Management Console, dispatchers are needed to run synchronization jobs between database and portal. They are also responsible for performing reconciliation and bootstrapping. Multiple pairs of dispatcher/runtime engines can be used and dedicated to running specific types of jobs.

In the left pane on the tree choose IDM under SAP Netweaver Identity Management Management Dispatcher. Right click on Dispatcher New Dispatcher

Figure IV.16 –Dispatcher configuration

After dispatcher has been added we need to rename it. It is recommended to give it a name that identifies the server on which it is running. Create Dispatcher scripts –>on the top right corner -> Service scripts

Figure IV.17 –dispatcher scripts generation

IV.3 Virtual Directory Server Installation and configuration

The Virtual Directory Server connects to any number of repositories, and the information is presented to the user as one joined view. In addition, different users and applications may be given different views of the information. It will present the information in different ways, depending on the credentials used to connect .We first need to start setup for corresponding platform and supply the necessary information.

Figure IV.18 –VDS installation

After setup has finished we need to setup VDS to connect to external Directories in order to be able to connect IDM to HCM system in my case.

Figure IV.19 –VDS configuration

IV.4 SAP NetWeaver AS JAVA Portal installation and configuration

NetWeaver AS JAVA Portal has been installed on Linux OS with DB2 database. Bellow command starts DB2 database together with JAVA Central Services in order to get the portal up and running.

Figure IV.20 –Portal installation and configuration

Figure IV.21 –Portal status

Bellow are the processes running under users db2idm and idmadm.

Figure IV.22 – portal processes on OS level

Figure IV.23 –DB2 processes

Configuration for NetWeaver 7.3 EHP 1 is made through SAP NetWeaver Administrator (NWA).

In order to acces the portal we need to enter http(s)://<host>:<port>, which will go to index page.

Another way is to enter http(s)://<host>:<port>/nwa in browser. Both procedures will display the login page for the NWA.

Figure IV.24 –JAVA Start Page

To be able to use the Self Services tab and other manager and administrator tabs in the Identity Management User Interface, user must be defined in both UME and in the Identity Center's identity store.

The way user is added in Identity Store is to login in Identity Center and add administrator privileges for administrator user.

Figure IV.25 –add administrator privileges

In order to add administrator privileges, Add administrator privileges must be checked to give access to manager/administrator tabs in the User Interface.

Figure IV.26 –Settings for MX_PERSON

To be able to use the Self Services tab and other manager and administrator tabs (except the Monitoring tab) in the Identity Management User Interface, the user must be defined in both UME and in the Identity Center's identity store. This is not necessary for access to the Monitoring tab, it is sufficient that the user exists in UME.

Self service tasks, where users can change its own user data, request the role and so on, can be accessed from the Self Services tab.

We need to select User Management, that starts the user management administration console for the User Management Engine (UME).

Figure IV.27 –UME configuration

We need to select idm* in the field Get and choose Go. We need to select idm_authenticated action and choose Add.

The idm_authenticated action is now assigned to the role and this will be shown in Assigned Actions as in picture bellow.

Figure IV.28 –IDM authenticated users

Assigning the idm.authenticated role to a user group is just one of several ways to give general access to the User Interface.

In the Available Groups pane, we can Go to list all available groups and select the Authenticated Users group and Add.

Figure IV.29 –Add administrator to authenticated users

The Authenticated Users group is now given the role and this will be shown in the right pane (Assigned Groups).

Now that the role is created, user administrator is able to access the Identity Management User Interface (and the Self Services tab).

Figure IV.30 –Administrator permissions

Now that the role is created, I’m able to access the Identity Management User Interface (and the Self Services tab).

Figure IV.31 –Self Services tab

The Identity Center Workflow module has a web interface for approvals and registrations and makes use of the Identity Center provisioning module to perform operations, including the approval process.

From Identity Center user interface can be configured which attributes to prompt for, which attributes are mandatory as well as what other information to show . In a more advanced scenario, any member of a given group may be allowed to do approvals. There may also be several approvals, which must all be performed before the provisioning takes place. For example, the department manager may approve the title of the user, while the mail administrator will define the mail server and define the storage quota for e-mail.

After Oracle Database and Client installation, VDS installation, configuration and integration with a HCM system we can now start the configuration and integration of Identity center into SAP Portal.

This is made, firstly by creating a basic synchronization job in Identity Center to gather information from HCM system and run it.Screenshots from job configuration have been attached to appendix A.

Figure IV.32 –Basic Syncronization job

Now login to identity management user management:

Figure IV.33 –Identity Management Portal access

For now,only administrator will be present in person field. We need to run synchronization job created earlier from identity center.

Figure IV.34 –Run Basic Syncronization job

Now the users are now uploaded to Identity Management Portal and can be managed from portal:

Figure IV.35 – Check user upload to IDM Portal

There are still no tasks defined for users. We need to import default form package for HR from SAP Identity Management Installation.

Figure IV.37 –Check users permissions

The imported folder with all the User Interface tasks is added to the Identity Center identity store .

Figure IV.37 –Import default HR packages

Figure IV.38 –HR package import

Figure IV.39 –Import users from HR table

Now we need to check in Identity Management that users have all the details imported from HR table.

Figure IV.40 –Check users after HR package import

We can now check if users have been imported from HR data.

Figure IV.41 – Check user permissions

Figure IV.42 – Check users approvals

Figure IV.43 –Users approvals to self-service

Chapter V – Conclusions

During the course of this paper I have explored a centralized user management solution in SAP composed of SAP Identity Management and SAP Governance and Risk Compliance Problem formulation, by using business and technical roles to define appropriate workflows that ensure that audit, security and legal guidelines are followed, while preserving business processes.

The IT community often thinks as SAP IDM as the SAP Central User Administration’s replacement, even though it should merely be considered it’s successor, as the functionalities it offers extend far beyond that of CUA. Unlike other user management solution for SAP, SAP IDM is not limited to SAP applications and provides user administration and several other services for the entire IT landscape of the company, including non-SAP systems.

The account provisioning is done by creating identities as opposed to accounts. If one tries to implement separate user management solutions and processes on individual applications and developments (ex: mergers and acquisitions), the task of linking several different accounts to a single person within the company who went through changes in function, left the company or even committed fraud becomes increasingly difficult.

One of the most important capabilities that SAP IDM offers is that of creating structure in places lacking in it. This structure is creating by basing the workflow logic on the idea that employees have identities. By understanding “identity lifecycles” and translating this into accounts and authorizations, SAP IDM enforces the relationship between employees and their accounts. As a result, finding out who logged into an application and what that person’s options within the IT landscape are is only a couple of clicks away. Any deviation from the norm can be easily and quickly flagged and investigated.

The newer releases of all these systems are based on a new common technological platform, which facilitates easier integration between all system types: the SAP NetWeaver platform.

In my thesis I set out to explain the basics of Identity and Access Management, by reviewing concepts such as User Provisioning, technical role assignment based on business role and the importance of compliance solutions with regard to an organization’s enterprise systems.

I’ve propose myself to dive a little bit deeper into what we do with Identity Management, by discussing why one might need such a solution, particularly where Enterprise Resource Planning (ERP) systems, such as SAP are needed.

I have taken the decision to speak about this SAP innovative solution because users are not effective in the Enterprise unless they are enrolled in the various ERP modules that make their organization work. Applications such as SAP IDM work with all major varieties of SAP Systems: ABAP, Java, ABAP +JAVA to provide complete life cycle support, including password management, for employees, contractors, guests and other users of the organization’s systems.

SAP Identity Management comes with pre-built frameworks to handle all of these systems, and more importantly, they can be customized to create workflows that allow organizations to provision users as they see fit.

Regarding role management, SAP Identity Management provides the ability to define, manage, and assign roles in SAP systems and reduce the complexity of these operations.

However, the complexity and flexibility of the identity creation process also brings with it a serious limitation: SAP IDM cannot be easily used in companies that are active in more than one country.

Laws and financial legal regulations may differ substantially from country to country. As such, employees that have to use SAP for such tasks may need different permissions and roles than their counterparts from other countries. From the applications perspective, this means that the technical role behind a business role is not universally valid, making the creation of several business roles for the same position a necessity.

For companies spanning a large number of countries, the drawback from the creation of these many business roles may in fact surpass the benefits than can be reaped from the notion of business roles.

Large companies use many of these systems to effectively run their business. This of course raises the security problem of their IT system landscape. As ERP Systems always play the central role in these landscapes, their security is of great concern for the companies.

Identity Management offers additional security organization and its security professionals the ability to effectively proxy access to secure user provisioning operations.

Rather than granting direct access to applications such as the NetWeaver Web Administration Module, focused tasks can be created in SAP Identity Management that permit designated users to create accounts, assign basic roles, and manage access.  This is much safer than granting any direct access to administration modules.

Bibliography

Installation Guide – SAP Systems Based on SAP NetWeaver 7.3 Application Server ABAP+Java on Linux: IBM DB2 for Linux, UNIX, and Windows; 2011

SAP NetWeaver Portal 7.3; SAP Documentation and Guides; SAP Press; Version 9; 2012

SAP Enterprise Portal 7.3 How-To Guides;SAP Press;Version 14; 2012

SAP TADM10_1 Course – SAP NetWeaver AS Implementation & Operation I; SAP Press; Version 72; 2011

SAP TADM12_2 Course – SAP NetWeaver AS Implementation & Operation II; SAP Press; Version 72; 2011

SAP Identity Management Overview; SAP Press; October 2014

SAP NetWeaver Identity Management Identity Services;Configuration Guide; SAP Press;Version 7.2 Rev.7; 2014

SAP NetWeaver Identity Management 7.2 Installation Guide; SAP Press; Version 1.0; October 2015

SAP Identity Management ; SAP Press; Version 7.2; July 2013

SAP NetWeaver Identity Management Security Guide; Version 7.2, Rev 10;February 2014

SAP Identity Management 7.2 Documentation;SAP Press; Version 137; 2015

http://scn.sap.com/community/idm

http://scn.sap.com/community/grc

http://scn.sap.com/docs/DOC-8562

http://help.sap.com/saphelp_grcac53/helpdata/en/bb/58ab7802f24dc88d184413eb78677d/content.htm

List of Figures

Figure I.1 – Architecture of SAP NetWeaver AS

Figure I.2 – SAP Web AS layers

Figure II.3 – Comparison of the Authorization Concepts

Figure III.1 –SAP Identity Management overall integration

Figure III.2 –SAP Identity Management integration with SAP and Non-SAP appplications

Figure III.3 – Technical role assignment based on business role

Figure III.4 – Workflow for approvals

Figure III.5 – LDAP Integration with SAP IDM

Figure III.6 – SAP IDM Integration with SAP Business Suite

Figure III.7 – Personnel lifecyle

Figure III.8 –Identity Management Components

Figure III.8 -Password Management

Figure III.9 -Provisioning task structure

Figure III.10 -Identity management architecture

Figure III.11 – The SAP NetWeaver Identity management products

Figure III.12 -Identity Center Architecture

Figure III.13 – VDS Syncronization with Identity Store

Figure III.14 – Data Syncronization Engine architecture

Figure III.15 – Virtual Directory Server

Figure III.16 –VDS Firewall scenario

Figure IV.1 –Oracle installation

Figure IV.2 –Oracle configuration

Figure IV.3 –Oracle Client Installation

Figure IV.4 –TNS configuration

Figure IV.5 –Connection test TNS

Figure IV.6 –Identity Center database installation

Figure IV.7 –List of IC database operators

Figure IV.8 –Identity Center management console installation

Figure IV.9 –Management console configuration

Figure IV.10 –Encryption keys generation

Figure IV.11 –Identity Center database configuration in management console

Figure IV.12 –Identity Center connection wizard

Figure IV.13 –Configuration for Oracle Provider OLE DB

Figure IV.14 –Configure OLE DB connection

Figure IV.15 –Identity Center wizard finished

Figure IV.16 –Dispatcher configuration

Figure IV.17 –dispatcher scripts generation

Figure IV.18 –VDS installation

Figure IV.19 –VDS configuration

Figure IV.20 –Portal installation and configuration

Figure IV.21 –Portal status

Figure IV.22-portal processes on OS level

Figure IV.23 –DB2 processes

Figure IV.24 –JAVA Start Page

Figure IV.25 –add administrator privileges

Figure IV.26 –Settings for MX_PERSON

Figure IV.27 –UME configuration

Figure IV.28 –IDM authenticated users

Figure IV.29 –Add administrator to authenticated users

Figure IV.30 –Administrator permissions

Figure IV.31 –Self Services tab

Figure IV.32 –Basic Syncronization job

Figure IV.33 –Identity Management Portal access

Figure IV.34 –Run Basic Syncronization job

Figure IV.35 – Check user upload to IDM Portal

Figure IV.37 –Check users permissions

Figure IV.37 –Import default HR packages

Figure IV.38 –HR package import

Figure IV.39 –Import users from HR table

Figure IV.40 –Check users after HR package import

Figure IV.41 – Check user permissions

Figure IV.42 – Check users approvals

Figure IV.43 –Users approvals to self-service

List of Tables

Table IV.1 –Identity Center installation scripts

Appendix A

I.Read emails from files

II.Read HR Data from DB

III.Write to Identity Store