Implementing Identity and Access Management universally across multiple IT infrastructures and software platforms is a major challenge for any organization. IAM implementation is no longer about promoting efficiency during an onboarding process, rather it’s more about managing roles, ensuring compliance, and promoting security. To do their daily job successfully, users today expect to get access to information they need from anywhere at any time, regardless of the target system or application. IT departments are struggling to make this access frictionless for users yet maintain compliance with corporate and government-imposed security and privacy regulations. This task is even more complicated if business-critical platforms like SAP are involved – not only SAP has its own security and access governance requirements, it is usually managed by a completely separate team from the one responsible for enterprise-wide IAM program. In this webinar, we will cover the challenges of managing SAP environments in silos, and how One Identity can help overcomes these challenges, and reduce the burden of managing SAP.
You will learn how One Identity Manager:
Provides a unified view and enterprise management of SAP accounts on different systems, as well as the rest of the enterprise
Associates an SAP account with standard user corporate identity, bringing everything under governance
Scales to hundreds-of-millions of SAP objects
Provides SAP-optimized SoD verification and enforcement
Delivers SAP-specialized workflows and business logic within enterprise governance
Integrates with SAP cloud applications through One Identity Starling Connect
3. One Identity - Restricted - Confidential3
Agenda
• Identity and Access Management has its own challenges. Now,
let’s add SAP, and SAP Cloud Apps into the mix
• What are the challenges of managing SAP through your IAM
processes
• How does One Identity help you solve these Challenges, and
reduce the overall burden of Managing SAP
4. One Identity - Restricted - Confidential4
Identity and Access Management
What does Alex have access to?
Why does he have access to
resources?
Who gave him that access?
5. One Identity - Restricted - Confidential5
Now, let’s add SAP
• SAP has users and groups like most
applications
• SAP also has clients, profiles, roles,
menus, and transaction codes
• Different inheritance rules for each of
these objects increases complexity
• Trying to resolve these complex
relationships down to users and groups
is close to impossible
• SAP Cloud Applications have own data
model
6. One Identity - Restricted - Confidential6
The challenges
• One common behavior among the organizations that we have worked with is
to divide the enterprise into “SAP” and “everything else.”
• Many IAG solutions don’t have rich support for SAP
• Administrators from the Windows and Unix universes don’t share a common
entitlement “mental map” with the SAP teams, so it’s easier to treat the
platforms separately
• A challenge for organizations to get a single view of a user
• Silo approach results in redundant platforms and processes for entitlement
requests
• Difficult to enforce controls like separation of duty rules across the various
platforms
Identity Management
System
7. One Identity - Restricted - Confidential7
SAP User Account Challenges
• Access business objects or
execute SAP transactions,
authorization must be assigned to
users
• Master record is required for log
on
• Master records are client specific
8. One Identity - Restricted - Confidential8
SAP Compliance & SoD Challenges
• SAP GRC execute rules on single
independent SAP accounts
• SAP accounts, such as a
superordinate employee identity, is
not included in GRC rule
calculations
• No cross platform support
20. One Identity - Restricted - Confidential20
SAP Objects not displayed directly in the Admin
tool • Connector can synchronise many objects that are not displayed in their
own section in the Administration tool
• SAP Transactions, Authorization Objects, and elements like Activities and
Authorization Groups are rather displayed as linked to SAP Functions for
the purposes of SOD definition
21. One Identity - Restricted - Confidential21
SAP Function Instance and Affected Groups:
used to easily define SOD Rules
Example: FI06 Bank deletion role will match this Function
22. One Identity - Restricted - Confidential22
SAP Audit Rule overview
23. One Identity - Restricted - Confidential23
SAP Audit Rule (SoD) configuration
• Example: showing AND across the clauses and OR over a list of SAP
Functions
24. One Identity - Restricted - Confidential24
SAP Audit Rule
(Transaction 1)
(Transaction 2)
(Authorization object 1)
(Authorization object 2)
(Function element 1)
(Function element 2)
(Authorization object 3)
(Function element 3)
(Function element 4)
OR (1)
AND (2)
AND (3)
AND (3)
25. One Identity - Restricted - Confidential25
SAP Function Definition
27. One Identity - Restricted - Confidential27
Pre-defined Templates speeds up the
project• Simple configuration
• Extensibility to custom information (all the Z_ tables)
28. One Identity - Restricted - Confidential28
One-To-One relationship from the source of
truth
• SAP HCM is the leading system for Org and Employee data
29. One Identity - Restricted - Confidential29
View on «ALL» the relationships
• All in One
• Reflects the
Org changes as
it is
• And more …
30. One Identity - Restricted - Confidential30
Write back Communication Data to SAP
HCM• Write back important communication data from other systems
like Mail and Phone system
34. One Identity - Restricted - Confidential34
Identity Manager delivers unified administration
and security for cloud and on-premises SAP
applications
35. One Identity - Restricted - Confidential35
SAP & Identity Manager Benefits
• Enhances SAP compliance and governance with a cross-platform
view that merges the SAP ecosystem with a comprehensive view
of non-SAP resources
• Best fit for companies requiring strong governance for SAP
• Scales to the largest and most complex SAP organizations
• Delivers fine-grained SAP object management required for
efficient, secure, and successful SAP operations
• Understands and provides IGA for the difficult-to-manage aspects of SAP
(Transaction Codes, Process Codes, support for custom SAP Z Tables, and other
attributes)
• Provides SAP-optimized SoD verification and enforcement
• Delivers SAP-specialized workflows and business logic within enterprise governance
36. One Identity - Restricted - Confidential36
7,000+
Customers of One Identity solutions
130+million
Identities managed through One Identity solutions
Award-winning support
94%
of One Identity customers report “overall
satisfaction with support experience”
Stability
15 years of profitability and growth
Why One Identity?
2018 Leader
Gartner has named One Identity a Leader in its
February 2018 MQ for Identity Governance and
Administration
4.2 out of 5
One Identity’s score on the Gartner Peer Insights
tool
Innovation
• Most comprehensive SAP Connector
• Market leader in AD management & security
• Pioneered AD bridge market
• Starling identity-as-a-service platform
Award-winning Partner Program
Computer Reseller News Channel Chief 2018
and 5 Star Rating
37.
38. One Identity - Restricted - Confidential38
SAP Connector (additional cost)
SAP connector is certified by SAP for both SAP R/3 and S/4HANA and provides the
full user account lifecycle for SAP user accounts
Modules:
• SAP R/3 User Management Module (SAP)
• SAP R/3 Structural Profiles Add-on Module (SAP HCM)
• SAP R/3 Analysis Authorizations Add-on Module (SAP Business Intelligence)
• SAP R/3 Compliance Add-on Module (SAP Compliance)
