User Management and Authorizations Overview

Session ID: SCUR102 User Management and Authorizations Overview

Contributing Speakers TechEd San Diego: Larry Justice

Security Consultant, SAP America

Jens Koster

Security Product Manager, SAP AG

Gerlinde Zibulski

Security Product Manager, SAP Labs LLC

TechEd Munich: Frank Buchholz


Jens Koster


Oliver Nocon

Portal RIG Consultant, SAP AG

© SAP AG 2004, SAP TechEd / SCUR102 / 2

Agenda Identity and Role Management with SAP Central User Administration Directory Integration Portal User Management Engine

User and Role Management for J2EE Web Applications User Management Engine J2EE Security Roles UME Roles

SAP’s Strategy for Identity Management Summary


Learning Objectives As a result of this workshop, you will understand the concepts behind: User management with SAP including Central User Administration Directory integration User Management Engine Portal roles Role management in ABAP and Java-based systems






Identity Management: Customers’ Vision Central Identity Management

Manage the individual's profile and relationships in heterogeneous and federated landscapes Provide services and delegated administration features for Authentication (policy-based) Single sign-on Authorization (policy-based) Profile management Provisioning for legacy systems

IM done through one centralized component SAP R/3

Network OS


Ext. access

HR

Other apps.

Decentralized User Maintenance Each SAP System has its own user data store Æ Decentralized user maintenance Æ Inconsistencies can occur between address data

SAP R/3 Enterprise


SAP EBP

SAP BW

SAP APO

SAP …

Central User Administration Users can be administrated in central SAP system

CUA central system SAP release as of 4.6C

Automatic distribution to client SAP systems Local administration still possible (back distribution) No inconsistencies

ALE

ALE

Central locks possible

SAP 6.x CUA client © SAP AG 2004, SAP TechEd / SCUR102 / 8

SAP 4.6 CUA client

SAP 4.5 CUA client

ABAP Role Implementation Approach ABAP Roles

User m:n

Composite m:n Role Menu: Transactions Web links, reports Etc.

Single Role Menu: Transactions Web links, reports Etc.

1:n Authorization Data Authorizations

Service Rep Menu

Single roles (and the corresponding authorization profiles) are created in the CUA client systems. Composite roles can be used either in the CUA client systems or in the CUA central system. © SAP AG 2004, SAP TechEd / SCUR102 / 9

Portal Roles A portal role is a container for applications and information that can be assigned to a particular group of users. The content of a role enables users to perform the tasks belonging to their job description. The content of a portal role is based on the company structure and on the information needs of the portal users in the company. The portal navigation structure is defined by the sum of the roles assigned to the user. Technically, a role is a hierarchy of folders containing other portal content objects. Roles can be assigned to users or groups of users, i.e. the portal role connects users (or groups of users) to the portal content. Introduction of Worksets as a new layer in a role hierarchy. © SAP AG 2004, SAP TechEd / SCUR102 / 10

Role A

Role Assignment

User Group 1

User Group 2

User Management – Directory Integration

E-mail

MetaDirectory Telephony

Central User Administration

Operating system

HR

Other applications © SAP AG 2004, SAP TechEd / SCUR102 / 11

Directory Benefits Directories serve as central repository for master data, which is used by several different applications. Modifications on this data can be done by every authorized application. Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP). Hundreds of other application and hardware suppliers support this protocol. SAP systems can be connected to such a directory to share parts of their user data or database content (e.g. HR data) with other applications.


HR Data Replication from SAP in an LDAP-Enabled Directory Service SAP Web AS as of 6.10

Directory Replication

As of 4.70 HR can be connected directly to the LDAP directory RFC

Data Retrieval in Personnel Management via Queriy or ABAPReport

HR-system 4.0 and higher with Plug-In System (PI 2001.2) 4.5 with Plug-In System (Pl 2001.2) © SAP AG 2004, SAP TechEd / SCUR102 / 13

Central User Administration & LDAP Synchronization

CUA central system SAP release as of 6.10

Directory LDAP synchronization

ALE


ALE

SAP 4.6 CUA client

SAP 4.5 CUA client

CUA & LDAP Synchronization & Enterprise Portal Enterprise Portal with User Management Engine (UME)

CUA central system SAP release as of 6.10

Directory LDAP synchronization

Persistence store

ALE


ALE

SAP 4.6 CUA client

SAP 4.5 CUA client

SAPNetWeaver Portal Infrastructure

Role-based, …

Sales Manager

Line Manager

…secure…

Authentication

…and Web-based…

SAP Enterprise Portal 6.0

Business Developer

Single Sign On

…access to any kind of applications, information and services

ERP

CRM

…

Docs* *covered by KM


SAP NetWeaver Powers mySAP Solutions Role-Specific, Easy Access to All Systems

Manager Self Service Role (SAP ERP)

Employee Self Service Role (SAP ERP)


Architecture Overview – User Management Engine

SAP Enterprise Portal

Applications Accessing User Management

User Management Core Layer

User API

User Account API

Group API

Persistence Manager

Role API Replication Manager

Persistence Adapters User Persistence Store

Database


LDAP Directory

SAP System

External System

Main Role Concepts in SAP NetWeaver SAP Enterprise Portal Portal roles

Generate Authorization Roles in ABAP from User Interface Roles in the Portal

Roles in ABAP-based systems (roles in transaction PFCG)


Single and composite roles in ABAP-based systems

ABAP Roles and Portal Roles: A Comparison

ABAP Roles

Portal Roles

Roles (single roles) carry authorization information.

Portal Roles carry the user interface information but (almost) no authorization information.

The Profile Generator is part of role administration in transaction PFCG. The content of Authorization Roles can be generated using the definition of Portal Roles


Portal roles cannot be used in the Portal environment to create authorizations for the backend systems. Authorizations must still be maintained in the backend system.





Usage of UME by applications in SAP J2EE 6.40

SAP J2EE Engine

UME

Database


LDAP Directory

ABAP Stack

J2EE Security Security Models J2EE supports two different security models Declarative security Access

control linked to the resource

Decouples Easy

access control from application logic

to implement and maintain

Programmatic security Access

control within Java code

More

flexible but linked to application logic

More

work to implement


J2EE Role Concept (Example) - Declarative Security display

change EJB e.g. Address

JAR Role Change

Role Display EAR

Usergroup Change

User1 © SAP AG 2004, SAP TechEd / SCUR102 / 24

Usergroup Display

User2

UME Role Concept – Programmatic Security Application1

Permission1

Application2

Permission2

Action1

Permission3

Action2

UME Role 1

User or Group © SAP AG 2004, SAP TechEd / SCUR102 / 25

Permission4

Permission5

Action3

UME Role 2

User or Group

Permission6

Action4



SAP’s strategy for Identity Management Summary


Players: Identity and Access Management

Identity Management: Managing attributes of identities for a complex landscape, incl. those needed for security

User Lifecycle Mgmt Business Partner Integration Attribute Federation

Organizational Structure

Access management:

Authentication

Centralized access control decision, to be enforced in all components

Single Sign-On


Application Infrastructure

Administration Workflow

Provisioning of User Info

“Legacy“ Integration Option

SAP Applications

Business Process Information Web Services Choreography

Access Control Policy Definition Policy Enforcement Provisioning of Authorization Info

Non-SAP Applications

Standards: Identity and Access Management

User provisioning

Identity Administration

SAML, Liberty, WS-Federation

Identity Provider Attribute Provider

Attribute information

SAML Attribute information & authorization decisions

Rules and Roles Administration XACML Business rules enquiries

Access Control Engines

SAML Authorization decisions

XrML Object rights provisioning


Security Kernel

LDAP, DSML SPML



SAP’s strategy for Identity Management Summary


Summary SAP leverages various user persistence store options SAP allows for roles and authorizations with appropriate strength SAP further enhances its Identity Management features and functions SAP plans to develop its own solution for the external user account provisioning application (for SAP and non-SAP applications) based on NetWeaver The existing applications (Portal User Management Engine / Central User Administration / Directory Integration) will be an integral part of the new solution Please note that this document is subject to change and may be changed by SAP at any time without notice. The document is not intended to be binding upon SAP to any particular course of business, product strategy and/or development.


Further Information (San Diego) Î

Public Web: www.sap.com SAP Developer Network: www.sdn.sap.com Î SAP NetWeaver Platform Î Security SAP Customer Services Network: www.sap.com/services/

Î

Related SAP Education Training Opportunities http://www.sap.com/usa/education/ ADM940-960

Î

Related Workshops/Lectures at SAP TechEd 2004 SCUR351, User Management and Authorizations : The Details Wed, 2:00 PM - 6:00 PM, 31A Fri, 8:00 AM - 12:00 PM, 30D

SCUR101, Security Basics Tue, 1:30 PM - 2:30 PM, 2 Wed, 4:00 PM - 5:00 PM, 4

SCUR251, Single Sign-On in Heterogeneous Landscapes Wed, 10:30 AM - 12:30 PM, 30C Thu, 1:45 PM - 3:45 PM, 30A

SCUR202, Security Optimization Service Wed, 9:15 AM - 10:15 AM, 6C Thu, 9:15 AM - 10:15 AM, 9

PRTL152, Portal Roles – Roles vs. Authorizations Wed, 1:45 PM - 3:45 PM, 30A Thu, 8:00 AM - 10:00 AM, 30B


Further Information (Munich) Î

Public Web: www.sap.com SAP Developer Network: www.sdn.sap.com Î SAP Netweaver Platform Î Security SAP Customer Services Network: www.sap.com/services/

Î

Related SAP Education Training Opportunities http://www.sap.com/education/ ADM940-960

Î

Related Workshops/Lectures at SAP TechEd 2004 SCUR351, User Management and Authorizations: The Details Thu, 9:00 AM - 1:00 PM, HO01 SCUR202, Security Optimization Service Wed, 5:00 PM - 6:00 PM, L1


SAP Developer Network Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network. Coming in December. http://www.sdn.sap.com/


Questions?

Q&A [email protected]

URL:


http://service.sap.com/security

Feedback Please complete your session evaluation. Be courteous — deposit your trash, and do not take the handouts for the following session.

Thank You !


Copyright 2004 SAP AG. All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express

permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other

software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,

pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered

trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,

Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and

implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein

as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. © SAP AG 2004, SAP TechEd / SCUR102 / 36