Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1
Timm Seitz Senior ArchitectOracle Solution Center SAP Competence
Oracle Identity Management
Oracle Identity Manager for SAPOracle Identity Manager for SAP
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3
Agenda
Identity Management - The Big Picture -
Overview Oracle Identity Manager for SAP
Integration OIM with SAP BO AC V10
Conclusion/Summary
Q&A
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.4
Identity Management
- The Big Picture -
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
ERP...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
IdM: “Technology” Areas of Conflict
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
ERP
Identity Management Portfolio – 11gR2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Oracle's Commitment to the SAP business
OracleDatabase
ServicesServices
HardwareHardware
Server OSServer OS
VirtualizationVirtualization
InfrastructureInfrastructureSoftwareSoftware
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Oracle SAP CompetenceThe SAP Competence team within Oracle Corp.
SAPSupport Center
SAP OSCArchitects
SAP- ISVEngineering
Oracle/SAPDatabase
SAPMarket Dev.
Head of business: SAP Alliance and Channel Management
Oracle’s Global SAPCompetence Center
SAP CertifiedSAP Certified technologies
One pointOne point of accountability
SAP CustomerSAP Customerfocusedfocused solutions
ServicesServices defined to work together
Direct or Direct or indirectindirect
Customer Customer supportsupport
SAPStorage Experts
Overall around 70 people only in Walldorf/GER – HQ SAP
OSC4SAP = Sub-division/Part of the global SAP Competence Center
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.10
Oracle Identity Manager
for SAP
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.11
Identity Management by Oracle
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.12
Identity Management for SAP
• Oracle Identity Manager for SAP
• Access request management
• Provisioning/De-Provisioning
• SAP specific SoD checks
• Oracle Database for SAP
• DB Security/Vault
• Oracle Access Manager
• SAP NetWeaver Enterprise Portal
• SAML 2.0 / SSO
• Oracle Enterprise SSO for SAP
• Passlogix
• SAP GUI SSO
In-scope Out-of-scope
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
OIM SAP Connectors as of May 2013
Oracle Identity Manager for SAP
TrustedSource
OIM /OW
TargetSystem
Common Connectors Common Connectors
R
P
TSR
Oracle Identity Manager – ICF - Server
Connector SAP Connector
Waveset OIM
API
SPI
• Available SAP specific connectors:
• SAP UM Connector
• Standard SAP Provisioning +
• Including SAP CUA support
• Including SAP BO AC 5.3 support
• Including SAP BO AC V10 support
• SAP UME Connector
• Standard SAP Provisioning +
• Including SAP Federated Portal support
• Including SAP BO AC 5.3 support
• Including SAP BO AC V10 support
• SAP Employee Reconciliation Connector
• Specific SAP HCM/HR Connector
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Oracle Identity Manager – SAP User Management Connector (May 2013)
Oracle Identity Manager for SAP
• Basic mode/functions:
• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV
• Supported provisioning methods:
• Direct provisioning (OIM admin only driven)
• Request-based provisioning (OIM user driven)
• Access policy change provisioning (OIM automatic driven)
• Using official SAP BAPIs for all SAP target provisioning/account operations
SAPBAPIs
SAP UMConnector
ScheduledTasks
OIMSAP ERP
Recon.
Prov.
Create/update
Sync against OIM users
SAP direct changes
SU01
SAP Central User Administration = Zentral Benutzerverwaltung ABAP
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Oracle Identity Manager – SAP User Management Connector (May 2013)
Oracle Identity Manager for SAP
• Basic mode/functions:
• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV
• Supported provisioning methods:
• Direct provisioning (OIM admin only driven)
• Request-based provisioning (OIM user driven)
• Access policy change provisioning (OIM automatic driven)
• SAP CUA point of view = indirect provisioning
SAPBAPIs
SAP UMConnector
ScheduledTasks
OIMSAP CUA
Recon.
Prov.
SAP ERP
SAPBAPIs
Prov.
ABAP only !
SAP Central User Administration = Zentral Benutzerverwaltung ABAP
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Oracle Identity Manager – SAP User Management Engine Connector
Oracle Identity Manager for SAP
• Basic mode/functions:
• Account creation or modification provisioning requests to SAP AS Java based application components, e.g. SAP NW Enterprise Portal
• Supported provisioning methods:
• Direct provisioning (OIM admin only driven)
• Request-based provisioning (OIM user driven)
• Access policy change provisioning (OIM automatic driven)
• Using official SAP Web Services for all SAP target provisioning/account operations
SAPSPML
Service(WebS)
SAP UMEConnector(WS Client)
ScheduledTasks
OIMSAP AS Java
Recon.
Prov.
Create/update
Sync against OIM users
SAP direct changes
Admin Console
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Oracle Identity Manager – SAP HCM/HR Connector
Oracle Identity Manager for SAP
• Basic mode/functions:
• OIM Connector for SAP Employee Reconciliation (HCM Active Sync)
• Retrieves employee records in real-time from SAP HCM and creates identities for them in OIM
• Typical use case: New hire
• Supported deployments
• Full Reconciliation (all source system users)
• Incremental Reconciliation – tRFC (Only changes or new user records)
• SAP Intermediate Document based data exchange process / ASCII-based flat files (Application Link Enabling interface)*
SAPIDoc
ScheduledTasks
OIMSAP ECC/HCM
FullRecon.
Create + UpdateOIM users
HCMDepartment
PA30
+
Leading/authoritative source
*The connector supports all IDoc types that are associated with the HRMD_A message type
No support for SAP system account
provisioning or reconciliationfor SAP HCM
HCM profile
HCM profile
SAP JavaConnector
tRFC
Manual copy
into OIM DIR
Listener based
+Inc.Recon.
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.18
Oracle Identity Manager
with SAP BO Access Control
V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Oracle Enterprise Governance SuiteRisk-based Certification and Segregation of Duties Analysis
Mainframe
DB
Identity Data Sources
Applications OIM + OIdA / AAccess CControls GGovernor (ESoD)
Roles Certification History
Entitlements Provisioning Events
Risk Aggregation
Resources Policy Violations
Low Risk User High Risk User
Bulk Certify Cert 360
Approve
RejectFocused
Sign-off
SoDs
Best Practice Libs for Oracle AppS
Operating System
SoD = Funktionstrennung ; OIdA = Oracle Identity Analytics Central Role Mgnt.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Bridging a business and a technology gap
Enterprise IT-Compliance
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Functional overview : The four pillars of Access Control
SAP BO AC V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Oracle Identity Manager for SAP
• SAP specific SoD Invocation Library
• OIM SAP AC SIL Provider
• Web Services based communication
• OIM SAP AC Web Service Client
• Based on SAP official AC - WSDL input
• Used by the OIM SAP Connectors during „Provisioning“ operations for SoD checks
OIMSAP
BO AC
AC Web Service Client
SAPSIL P.
CustomSIL P.
OAACG*SIL P.
SoD Invocation Lib (SIL and Adapters)
SIL Provider
*OAACG = Oracle Application Access Controls Governor
OIM as Consumer
Oracle Identity Manager – Integration of the SAP SoD Engine
WSDL = Web Service Definition Language
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Oracle Identity Manager – Integration of the SAP SoD Engine
Oracle Identity Manager for SAP
• OIM SAP Connectors
• To be used as interface between OIM and SAP BusinessObjects Access Control
• Provisioning requests can be validated by the SAP official SoD engine
• Supported connector types for SoD checking
• OIM SAP User Management Connector
• OIM SAP User Management Engine ConnectorSAPSAP®® BO BOAC V10AC V10
ACAC-PC-RM-PC-RM
NW AS ABAPNW AS ABAP
AS ABAP UMAS ABAP UM
OIM
SAPSIL Provider
OIM SAP
UM Connector
ICF
Pre-configured invocation of SAP SIL Provider
SoDs
WebSWebS
OIM SAP
UME Connector
11 22
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
SAP BO AC V10OIM Scenario 01: IdM with SoD
Requestor (Clerk)Requestor (Clerk) Business line managerBusiness line manager IT departmentIT department
Risk Analysis / SoD Risk Analysis / SoD
Business approval Business approval ProvisioningProvisioning
New or New or Change request Change request
IT-ProvisioningIT-Provisioning
e.g. FI Managere.g. FI Manager
SAP SoD SAP SoD One One
workflowworkflow
Oracle IdM WFLOracle IdM WFL
SoD Risk Analysis onlySoD Risk Analysis only
Non-SAP SoD check
SAP specificSoD check
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.25
Conclusion
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Identity Management Jump to a Modernized Identity Management Platform
Reduce costs and risks with a complete identity governance suite
Seamless application access from any device
Low risk, high value upgrades and consolidation
Empower and enable new digital identities
Scalable software architecture
Dedicated support of major ISV like, e.g. SAP ERP
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Open Questions
Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28
Copyright © 2012, Oracle and/or its affiliates. All rights reserved.29
Oracle Release Support
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
SAP User Management (ABAP) Connector Release 11.1.1.5.0
Oracle Identity Manager for SAP
• Supported OIM Releases
• Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later
• Oracle Identity Manager 11g Release 2 (11.1.2.0.1) or later
• Supported SAP JCo release
• SAP JCo 3.0.2 or later
• Supported SAP BO AC Releases:
• SAP BO AC V5.3
• SAP BO AC V10
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
SAP User Management Engine (Java) Connector Release 11.1.1
Oracle Identity Manager for SAP
• Supported OIM Releases
• Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later
• Oracle Identity Manager 11g Release 2 (11.1.2.0.1) or later
• Supported SAP JCo release
• SAP JCo 3.0.2 or later
• Supported SAP BO AC Releases:
• SAP BO AC V5.3
• SAP BO AC V10
© 2013 SAP AG. All rights reserved.
© 2013 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.