SAP Identity Management – An Introduction

Welcome to another exciting contribution in  the field of Identity and Access Management (IAM). In this blog post, we will look at one of the many IAM solutions[1] available on the market: SAP Identity Management (SAP IDM). You will get an insight into the functionality and features of the Identity Management system. We will answer questions like: What is SAP IDM actually? Why or under which conditions should you use SAP IDM? What are the advantages of that IAM solution?

 

Due to our many years of experience with the use and implementation of this product from the well-known Walldorf software giant, we are able to provide you with satisfying answers. Thanks to our expertise in the field of identity & access management with leading providers and amiconsult’s own way of “thinking outside the box”, we always advise with your needs in mind and an eye to the future.

What is the SAP IDM? – Functionality and features

Today’s working world has undoubtedly entered the age of digitalisation. Analogue processes are being replaced by digital ones in the course of digital transformation and where this is not possible, a digital image – or better a digital representation – is being created in parallel. In most cases, this digital transformation goes hand in hand with an agile transformation or uses agile methods[2], which is why we also speak of an agile digital transformation.

 

An essential, central part for any company is the establishment of Identity and Access and Authorisation Control. Whether it is gatekeepers, guest lists, keys or badges: In the analogue world, there are mechanisms that give people an identity and regulate who may enter which area or perform which action.

 

For example, customers are allowed to enter the sales area, but only company employees are allowed to enter the warehouse or the break room. And only certain employees of the company may have access to the checkout area.

 

In the digital representation, an employee or customer who logs in must also be identified and the permissions set correctly. This is done using an Identity & Access Management (IAM) solution. An IAM solution centrally manages the master data of the users as their identity and informs the various applications whether the logged-in user is authorised to use resources. Or to put it another way: “Identity and access management (IAM) is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.”[3]

 

The digital infrastructure in companies is increasingly developing into a more complex, more heterogeneous landscape. A landscape consisting of different software from different providers, which offers users quick and easy access to the numerous applications in use. At the same time, new data protection regulations and audits require extensive audit logging, which is becoming increasingly complex in the face of information distribution.

 

Figure 1 - Connectivity for SAP and non-SAP systems

Figure 1:Connectivity to SAP and non-SAP systems[4]

 

The SAP IDM thus manages the identities and access authorisations of its users and provides these to connected systems. It controls the entire life cycle of a digital identity/representation and ensures that new data or changes are distributed synchronously to all connected systems.

 

With the SAP IDM user interface, the master data and approval workflows of all users can be viewed and managed centrally. Since the user interface is also based on SAP NetWeaver Java technology, these can be perfectly adapted to your own needs ;).

 

Figure 2 - SAP IDM User Interface

Figure 2: SAP IDM user interface[5]

 

Technically, the SAP Identity Management System consists of two main components: the Identity Center and the Virtual Directory Server, which provide the following functions: 

  • Password management
  • Role and entity control
  • Reports and audit information
  • Automated authorisation workflows
  • Data synchronisation across multiple systems

Let me illustrate this with a usage scenario:

Hans Müller had a job interview at Global Distribution PLC, where he applied as a sales employee.

 

One week in advance of his start date, his personal data (first name, last name, address and phone number) is forwarded to the HR department and manually entered into the SAP Human Capital Management (HCM) system by one of the HR employees.

 

Once entered, the provisioning of the data into the on-premises SAP Identity Management System begins automatically, which recognises that this is a new Global Distribution PLC  employee. The employee profile creation process is initiated:

  1. A new user with the name Hans Müller is created in the Active Directory.
  2. He is assigned a unique user identification (e.g. GD_067456).
  3. An email address [email protected] and an Office365 identity are created.
  4. The telephone number is entered in the company’s own telephone book.
  5. The user is assigned the role “Sales employee”, which gives access rights to the folder “Sales documents” and creates an account within a sales application.

 

On his first day at work, Hans can start work immediately and access all the resources and applications needed to work productively.

 

Let’s spin our utilisation scenario further: 

Things are going well and one year after starting his job, Hans is promoted and is now manager of the entire team. By changing his role, the SAP IDM gives him all the access included in the new role and passes the changes to the user identity to all connected systems. Hans now has access to employee folders in Sharepoint, can approve processes himself and is granted superuser privileges in SAP ERP.

 

As Hans knows how important IT security is, he now wants to change his password. Thanks to SAP IDM’s own self-service, he does not need the help of the IT department. He changes his password on the SAP IDM self-service page, which then updates his password in all connected applications. A small step for him, but a big step for his IT security 😉.

But all good things must come to an end:

After a long time on the job, Hans finally leaves Global Distribution PLC. The HR department sets the leaving date and the SAP IDM carries out the deletion of the identity in the various systems, revokes the authorisations and deactivates the email address.

 

Should an auditor later carry out an audit, the HR department can refer to a detailed log and generate a report without having to manually collect information from various places.

 

Now you should have an overview of the possibilities and scenarios with SAP IDM.

 

Why or when to choose SAP IDM as an IAM solution? – Advantages and features 

Now that you know what SAP IDM is and how it works, let’s look at why you should use it. What are the benefits of SAP Identity Management?
Under what circumstances should you, as an IT decision-maker, consider switching to or using SAP IDM?

 

First of all, it should be mentioned that every situation has its own individual requirements that you have to take into account when making your decision:

  • Is it a green field approach, i.e. the use of an IAM product in an environment where no IAM has been used before?
  • Or is an IAM already in use?
  • Are other SAP products used in the IT environment?
  • What is the usage scenario?
  • Are applications used on-premise or cloud-based?
  • How many users (employees, partners, customers) should be managed by the IAM?

 

A common setup where SAP IDM can show its strengths and an implementation makes sense might look like this:

  • You work with many different applications in a heterogeneous IT landscape.
  • Many of the applications are on-premise, others cloud-based.
  • SAP products are already in use and your employees have to switch regularly between SAP and non-SAP products.
  • Your company exceeds 1,000 employees and/or customers who need to be authenticated and managed.

 

If this applies to you, SAP Identity Management is the preferred IAM solution for your company. Both from an economic and an IT perspective. From a purely cost perspective, SAP Identity Management is already included as part of the SAP licence and can be used out-of-the-box for the management of SAP products at no additional cost. From an IT-technical point of view, SAP IDM already provides many connectors (to SAP as well as non-SAP systems) to be integrated into your existing landscape.

 

In the following, we will take a look at the additional benefits you can profit from by implementing SAP IDM.

 

Safety

The first aspect to mention is of course the greatly increased security. The use of a central user administration generally creates the circumstance that there is only one point of attack instead of many different ones. Imagine building a house with many different windows and several front doors. Each of these doors and windows offers criminal elements the opportunity to gain access to the house. As a homeowner, you need to secure and control each window and front door extensively.
The fewer windows and doors, the less effort is required and the more you can concentrate on securing the remaining access points. In a real house, you would be in the dark with few windows, but we only mentioned that as an example. 😊  With SAP IDM, you are more likely to bring light into the data darkness.

 

With its extensive log actions and automated deactivation of rights/users on day X and the provisioning of these deletion requests to all connected systems, SAP Identity Management makes a significant contribution to monitoring the system and avoiding “account corpses”. It is precisely these “account corpses” – i.e. user accounts with access rights that were not or only partially deactivated/withdrawn after employees left – that represent a major security risk in any modern IT system. Unfortunately, they often serve as the first point of leverage for hackers to gain unauthorised access. Centralising user administration and synchronising identities and rights across the various connected applications and systems is therefore an integral part of overall security.

 

Figure 3 - SAP IDM in the Context of SAP's Produkt Portfolio

Figure 3: SAP IDM in the context of SAP’s product portfolio[6]

 

In addition, the security-relevant data stored in existing SAP applications is often not visible to non-SAP systems. For an IAM system, an SAP application can therefore be like a black box, resulting in gaps. The SAP Identity Management System, on the other hand, already has native connections to SAP applications and also the possibility to be connected to the most important third-party and non-SAP products without incurring additional costs.

Relieve the user administration

The use of SAP IDM will noticeably relieve your system managers/IT admins. On the one hand, operation is facilitated by the use of browser-based UIs and an Eclipse-based development environment, and on the other hand, admins have to initiate and decide less, as SAP IDM already takes over corresponding tasks in the background through automated workflows and coupled processes (e.g. with role-based assignment of rights). This is further enhanced by the complete replacement of paper-based authorisation requests, which makes them easier to archive and much easier to search.

 

Some of the processes that previously had to be carried out manually and time-consumingly by IT admins are now possible without their involvement. For example, by using a self-service portal, users can perform cross-system password resets and thus drastically reduce the response time and support effort for IT colleagues.

 

Figure 4 - Password reset in SAP IDM

Figure 4: Password Reset in SAP IDM[7]

 

Also, the fact that process workflows are automated, such as in the case of a new entry or role change, and can be triggered directly by the HR department, for example, will relieve your IT administrators and free them up for more important tasks.

 

The possibility of mass creation and modification of users by simply uploading a CSV file, the simple and individual customisation of workflows, as well as the retrieval and updating of user data at a central location, makes quick and central intervention possible whenever it is required.

 

Auditing and reports

The audit-proof assignment of authorisations and the extensive audit functionality of SAP IDM enables the creation of reports of all current and past access events and actions performed.

 

Should a security breach occur or the issue be relevant within an audit, it is possible at any time to generate a (customisable) report on the authorisations and actions of an individual user at a specific point in time.

 

Who initiated a change? What type of change was initiated? What data was stored before it was changed? When exactly was the change made?
All changes to data, user access rights and administrative permissions can be managed and tracked in this way without the need for you to manually search for information from various sources.

 

Reports can be generated in different ways:

  • Basic reports are based on information from the SAP IDM database.
  • Advanced reports can be generated if SAP Business Warehouse (SAP BW) is also used. This allows more details and customisability of the reports.
  • Reports with a focus on visual presentation can be visualised using SAP Lumira.

 

Figure 5 - Basic report in SAP IDM

Figure 5: Basic Report from SAP IDM[8]

 

In addition, tight integration with SAP Access Control enables effective mitigation of segregation-of-duties (SoD) risks and a fully legally compliant user provisioning process.

Simplified authentication in multi-system and hybrid scenario setup

As companies provide more and more employees, customers and business partners with access to information and processes in their system landscapes, the need for advanced and flexible single sign-on across the enterprise becomes increasingly important.

 

Thanks to the integration with SAP Single Sign-On and SAP Cloud Platform Identity Authentication (SAP IDA), SAP IDM meets this increased demand and therefore contributes to both a smooth user experience and improved security when logging into an on-premise and cloud system landscape.
SAP Single Sign-On provides support for many authentication systems, including passwords, tokens, X.509 certificates and smart cards.
SAP Cloud Platform Identity Authentication enables secure single sign-on in cloud environments. It includes the processes for managing identities and their lifecycles within the SAP Cloud portfolio.

 

Central security management with a standardised authentication system simplifies authentication for the user, who from now on only has to log in with a password to gain access to the various systems/applications. At the same time, it reduces the effort for IT, which manages changes to the user centrally.

 

Figure 6 - SAP Identity Management and Authentication

Figure 6: SAP Identity Management and Authentication[9]

 

Conclusion

In this article, we looked at SAP Identity Management. What did we learn about SAP IDM?

 

As the successor to Central User Administration (CUA), SAP IDM not only supports the native connection of SAP’s own applications and technologies, but also provides out-of-the-box connectors to common non-SAP systems such as MS Azure and Active Directory, making it very easy to use in an SAP application-dominated IT landscape as well as in the additional use of non-SAP applications.

 

The native communication with SAP systems also allows extensive auditing and the generation of reports with just one click.

 

Since SAP IDM is built on the SAP Netweaver architecture, which is Java-based, new connectors can be easily adapted to the needs of one’s own IT landscape, so that SAP IDM can communicate with almost any identity directory (repository).

 

Thanks to its role-based access control, it can ultimately propagate changes to permissions and access to all applications from a central user interface, thus contributing to higher security and relieving the burden on IT administrators.

 

What does all this mean for you and a potential use as an IAM system in your company?

 

The use of SAP IDM ultimately depends on various individual factors. As an integral and central part of your IT infrastructure, the decision for a certain identity management system should be well-considered, which is why a consultation before a change or in a planning phase is highly recommended. Back the right horse right from the start and take advantage of our unique expertise in Identity & Access Management through our IAM Healthcheck:

We carry out an as-is analysis of your existing architecture, processes and cyber security, create a documentation of the evaluation and prepare the results in an easy-to-understand presentation.

 

All cards are laid openly on the table: objectively and informatively. Advice from a friend with the aim of providing you with the basis for further informed decisions.

 

Is SAP IDM already at the top of your list of possible candidates for an identity management system because…

  • … you might have to manage more than 1000 master data of customers and/or employees?
  • … your identity management system is to be used in a heterogeneous IT landscape consisting of various already existing SAP and non-SAP applications?
  • … applications are used both on-premise and cloud-based?

 

Then trust a reliable partner who has been working for SAP SE in the Identity & Access area for over ten years and knows the SAP Identity Management product in all its facets. Concentrated know-how at enterprise level without wearing blinkers. Our diversity and professional depth offer you the security of an individual consultation in which you and your specific requirements are the focus.

 

 


[1] For more information and an overview of the different IAM solutions, I highly recommend our blog article The landscape of Identity & Access Management solutions.

Author

Tobias-Marc

Related Articles

IAM Key-Features: An overview
OpenID Connect – an introduction to authentication with OIDC