Wed, 1:45 PM - 3:45 PM, 30A. Thu, 8:00 AM - 10:00 AM, 30B. →. Related SAP
Education Training Opportunities http://www.sap.com/usa/education/ ADM940- ...
Session ID: SCUR102 User Management and Authorizations Overview
Contributing Speakers TechEd San Diego: Larry Justice
Security Consultant, SAP America
Jens Koster
Security Product Manager, SAP AG
Gerlinde Zibulski
Security Product Manager, SAP Labs LLC
TechEd Munich: Frank Buchholz
Security Product Manager, SAP AG
Jens Koster
Security Product Manager, SAP AG
Oliver Nocon
Portal RIG Consultant, SAP AG
© SAP AG 2004, SAP TechEd / SCUR102 / 2
Agenda Identity and Role Management with SAP Central User Administration Directory Integration Portal User Management Engine
User and Role Management for J2EE Web Applications User Management Engine J2EE Security Roles UME Roles
SAP’s Strategy for Identity Management Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 3
Learning Objectives As a result of this workshop, you will understand the concepts behind: User management with SAP including Central User Administration Directory integration User Management Engine Portal roles Role management in ABAP and Java-based systems
© SAP AG 2004, SAP TechEd / SCUR102 / 4
Agenda Identity and Role Management with SAP Central User Administration Directory Integration Portal User Management Engine
User and Role Management for J2EE Web Applications User Management Engine J2EE Security Roles UME Roles
SAP’s Strategy for Identity Management Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 5
Identity Management: Customers’ Vision Central Identity Management
Manage the individual's profile and relationships in heterogeneous and federated landscapes Provide services and delegated administration features for Authentication (policy-based) Single sign-on Authorization (policy-based) Profile management Provisioning for legacy systems
IM done through one centralized component SAP R/3
Network OS
© SAP AG 2004, SAP TechEd / SCUR102 / 6
Ext. access
HR
Other apps.
Decentralized User Maintenance Each SAP System has its own user data store Æ Decentralized user maintenance Æ Inconsistencies can occur between address data
SAP R/3 Enterprise
© SAP AG 2004, SAP TechEd / SCUR102 / 7
SAP EBP
SAP BW
SAP APO
SAP …
Central User Administration Users can be administrated in central SAP system
CUA central system SAP release as of 4.6C
Automatic distribution to client SAP systems Local administration still possible (back distribution) No inconsistencies
ALE
ALE
Central locks possible
SAP 6.x CUA client © SAP AG 2004, SAP TechEd / SCUR102 / 8
SAP 4.6 CUA client
SAP 4.5 CUA client
ABAP Role Implementation Approach ABAP Roles
User m:n
Composite m:n Role Menu: Transactions Web links, reports Etc.
Single Role Menu: Transactions Web links, reports Etc.
1:n Authorization Data Authorizations
Service Rep Menu
Single roles (and the corresponding authorization profiles) are created in the CUA client systems. Composite roles can be used either in the CUA client systems or in the CUA central system. © SAP AG 2004, SAP TechEd / SCUR102 / 9
Portal Roles A portal role is a container for applications and information that can be assigned to a particular group of users. The content of a role enables users to perform the tasks belonging to their job description. The content of a portal role is based on the company structure and on the information needs of the portal users in the company. The portal navigation structure is defined by the sum of the roles assigned to the user. Technically, a role is a hierarchy of folders containing other portal content objects. Roles can be assigned to users or groups of users, i.e. the portal role connects users (or groups of users) to the portal content. Introduction of Worksets as a new layer in a role hierarchy. © SAP AG 2004, SAP TechEd / SCUR102 / 10
Role A
Role Assignment
User Group 1
User Group 2
User Management – Directory Integration
E-mail
MetaDirectory Telephony
Central User Administration
Operating system
HR
Other applications © SAP AG 2004, SAP TechEd / SCUR102 / 11
Directory Benefits Directories serve as central repository for master data, which is used by several different applications. Modifications on this data can be done by every authorized application. Access to this data is provided using the standardized Lightweight Directory Access Protocol (LDAP). Hundreds of other application and hardware suppliers support this protocol. SAP systems can be connected to such a directory to share parts of their user data or database content (e.g. HR data) with other applications.
© SAP AG 2004, SAP TechEd / SCUR102 / 12
HR Data Replication from SAP in an LDAP-Enabled Directory Service SAP Web AS as of 6.10
Directory Replication
As of 4.70 HR can be connected directly to the LDAP directory RFC
Data Retrieval in Personnel Management via Queriy or ABAPReport
HR-system 4.0 and higher with Plug-In System (PI 2001.2) 4.5 with Plug-In System (Pl 2001.2) © SAP AG 2004, SAP TechEd / SCUR102 / 13
Central User Administration & LDAP Synchronization
CUA central system SAP release as of 6.10
Directory LDAP synchronization
ALE
SAP 6.x CUA client © SAP AG 2004, SAP TechEd / SCUR102 / 14
ALE
SAP 4.6 CUA client
SAP 4.5 CUA client
CUA & LDAP Synchronization & Enterprise Portal Enterprise Portal with User Management Engine (UME)
CUA central system SAP release as of 6.10
Directory LDAP synchronization
Persistence store
ALE
SAP 6.x CUA client © SAP AG 2004, SAP TechEd / SCUR102 / 15
ALE
SAP 4.6 CUA client
SAP 4.5 CUA client
SAPNetWeaver Portal Infrastructure
Role-based, …
Sales Manager
Line Manager
…secure…
Authentication
…and Web-based…
SAP Enterprise Portal 6.0
Business Developer
Single Sign On
…access to any kind of applications, information and services
ERP
CRM
…
Docs* *covered by KM
© SAP AG 2004, SAP TechEd / SCUR102 / 16
SAP NetWeaver Powers mySAP Solutions Role-Specific, Easy Access to All Systems
Manager Self Service Role (SAP ERP)
Employee Self Service Role (SAP ERP)
© SAP AG 2004, SAP TechEd / SCUR102 / 17
Architecture Overview – User Management Engine
SAP Enterprise Portal
Applications Accessing User Management
User Management Core Layer
User API
User Account API
Group API
Persistence Manager
Role API Replication Manager
Persistence Adapters User Persistence Store
Database
© SAP AG 2004, SAP TechEd / SCUR102 / 18
LDAP Directory
SAP System
External System
Main Role Concepts in SAP NetWeaver SAP Enterprise Portal Portal roles
Generate Authorization Roles in ABAP from User Interface Roles in the Portal
Roles in ABAP-based systems (roles in transaction PFCG)
© SAP AG 2004, SAP TechEd / SCUR102 / 19
Single and composite roles in ABAP-based systems
ABAP Roles and Portal Roles: A Comparison
ABAP Roles
Portal Roles
Roles (single roles) carry authorization information.
Portal Roles carry the user interface information but (almost) no authorization information.
The Profile Generator is part of role administration in transaction PFCG. The content of Authorization Roles can be generated using the definition of Portal Roles
© SAP AG 2004, SAP TechEd / SCUR102 / 20
Portal roles cannot be used in the Portal environment to create authorizations for the backend systems. Authorizations must still be maintained in the backend system.
Agenda Identity and Role Management with SAP Central User Administration Directory Integration Portal User Management Engine
User and Role Management for J2EE Web Applications User Management Engine J2EE Security Roles UME Roles
SAP’s Strategy for Identity Management Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 21
Usage of UME by applications in SAP J2EE 6.40
SAP J2EE Engine
UME
Database
© SAP AG 2004, SAP TechEd / SCUR102 / 22
LDAP Directory
ABAP Stack
J2EE Security Security Models J2EE supports two different security models Declarative security Access
control linked to the resource
Decouples Easy
access control from application logic
to implement and maintain
Programmatic security Access
control within Java code
More
flexible but linked to application logic
More
work to implement
© SAP AG 2004, SAP TechEd / SCUR102 / 23
J2EE Role Concept (Example) - Declarative Security display
change EJB e.g. Address
JAR Role Change
Role Display EAR
Usergroup Change
User1 © SAP AG 2004, SAP TechEd / SCUR102 / 24
Usergroup Display
User2
UME Role Concept – Programmatic Security Application1
Permission1
Application2
Permission2
Action1
Permission3
Action2
UME Role 1
User or Group © SAP AG 2004, SAP TechEd / SCUR102 / 25
Permission4
Permission5
Action3
UME Role 2
User or Group
Permission6
Action4
Agenda Identity and Role Management with SAP Central User Administration Directory Integration Portal User Management Engine
User and Role Management for J2EE Web Applications User Management Engine J2EE Security Roles UME Roles
SAP’s strategy for Identity Management Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 26
Players: Identity and Access Management
Identity Management: Managing attributes of identities for a complex landscape, incl. those needed for security
User Lifecycle Mgmt Business Partner Integration Attribute Federation
Organizational Structure
Access management:
Authentication
Centralized access control decision, to be enforced in all components
Single Sign-On
© SAP AG 2004, SAP TechEd / SCUR102 / 27
Application Infrastructure
Administration Workflow
Provisioning of User Info
“Legacy“ Integration Option
SAP Applications
Business Process Information Web Services Choreography
Access Control Policy Definition Policy Enforcement Provisioning of Authorization Info
Non-SAP Applications
Standards: Identity and Access Management
User provisioning
Identity Administration
SAML, Liberty, WS-Federation
Identity Provider Attribute Provider
Attribute information
SAML Attribute information & authorization decisions
Rules and Roles Administration XACML Business rules enquiries
Access Control Engines
SAML Authorization decisions
XrML Object rights provisioning
© SAP AG 2004, SAP TechEd / SCUR102 / 28
Security Kernel
LDAP, DSML SPML
Agenda Identity and Role Management with SAP Central User Administration Directory Integration Portal User Management Engine
User and Role Management for J2EE Web Applications User Management Engine J2EE Security Roles UME Roles
SAP’s strategy for Identity Management Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 29
Summary SAP leverages various user persistence store options SAP allows for roles and authorizations with appropriate strength SAP further enhances its Identity Management features and functions SAP plans to develop its own solution for the external user account provisioning application (for SAP and non-SAP applications) based on NetWeaver The existing applications (Portal User Management Engine / Central User Administration / Directory Integration) will be an integral part of the new solution Please note that this document is subject to change and may be changed by SAP at any time without notice. The document is not intended to be binding upon SAP to any particular course of business, product strategy and/or development.
© SAP AG 2004, SAP TechEd / SCUR102 / 30
Further Information (San Diego) Î
Public Web: www.sap.com SAP Developer Network: www.sdn.sap.com Î SAP NetWeaver Platform Î Security SAP Customer Services Network: www.sap.com/services/
Î
Related SAP Education Training Opportunities http://www.sap.com/usa/education/ ADM940-960
Î
Related Workshops/Lectures at SAP TechEd 2004 SCUR351, User Management and Authorizations : The Details Wed, 2:00 PM - 6:00 PM, 31A Fri, 8:00 AM - 12:00 PM, 30D
SCUR101, Security Basics Tue, 1:30 PM - 2:30 PM, 2 Wed, 4:00 PM - 5:00 PM, 4
SCUR251, Single Sign-On in Heterogeneous Landscapes Wed, 10:30 AM - 12:30 PM, 30C Thu, 1:45 PM - 3:45 PM, 30A
SCUR202, Security Optimization Service Wed, 9:15 AM - 10:15 AM, 6C Thu, 9:15 AM - 10:15 AM, 9
PRTL152, Portal Roles – Roles vs. Authorizations Wed, 1:45 PM - 3:45 PM, 30A Thu, 8:00 AM - 10:00 AM, 30B
© SAP AG 2004, SAP TechEd / SCUR102 / 31
Further Information (Munich) Î
Public Web: www.sap.com SAP Developer Network: www.sdn.sap.com Î SAP Netweaver Platform Î Security SAP Customer Services Network: www.sap.com/services/
Î
Related SAP Education Training Opportunities http://www.sap.com/education/ ADM940-960
Î
Related Workshops/Lectures at SAP TechEd 2004 SCUR351, User Management and Authorizations: The Details Thu, 9:00 AM - 1:00 PM, HO01 SCUR202, Security Optimization Service Wed, 5:00 PM - 6:00 PM, L1
© SAP AG 2004, SAP TechEd / SCUR102 / 32
SAP Developer Network Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network. Coming in December. http://www.sdn.sap.com/
© SAP AG 2004, SAP TechEd / SCUR102 / 33
Questions?
Q&A
[email protected]
URL:
© SAP AG 2004, SAP TechEd / SCUR102 / 34
http://service.sap.com/security
Feedback Please complete your session evaluation. Be courteous — deposit your trash, and do not take the handouts for the following session.
Thank You !
© SAP AG 2004, SAP TechEd / SCUR102 / 35
Copyright 2004 SAP AG. All Rights Reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,
pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein
as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated
companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. © SAP AG 2004, SAP TechEd / SCUR102 / 36