In Part 1, we will provide an overview of the existing SAP authorization mechanism – the SAP Authorization Toolbox, and introduce industry models for applying access control.

1. Advanced Authorization for SAP Global Deployments Part I: The SAP authorization toolbox and models for access control Andy Han, VP Products, NextLabs, Inc.

2. Agenda Objective Review access control challenges of a global SAP deployment Describe a model for applying tools to address requirements Look at the some of tools in the authorization tool box Presentation Anatomy of a Global Deployment Access Control Requirements and Challenges 2 Layer Authorization Model The Authorization Toolbox The Next Step – Applied Authorization Question and Answers

4. Multi Line of Business

7. Privacy

9. Helpdesk

11. External Access

12. Co-opetition

13. Multi Level Supply ChainCustomer Design Partners

14. Advanced Authorization Challenges Collaboration Security How do I share data and functions to enable global collaboration? How to I enable collaboration with external partners? How do I do more business around the world? How to I support systems 24/7 at the lowest cost? How do I limit access to data and functions for users in a specific region or LOB? How do I protect my company IP from leaking outside the company? How do ensure compliance with multiple global regulations? How do I control privileged IT users?

16. Multi Line of Business

19. Privacy

21. Helpdesk

23. External Access

24. Co-opetition

25. Multi Level Supply ChainCustomer Design Partners

26. Global Engineering Example Business Authorizations Design Engineers can create, edit, and view drawings and BOMs Engineering Services can create ECOs Engineering Managers and Engineering Services can View Drawings, BOMs, and ECOs Internal users can access all company product data Suppliers can only see their own product data Partner Co. can only work on Program X External partner accounts must be approved by partner manager Trade Compliance must classify all new materials

27. Business Authorization Dimensions Functional Access Determine the actions a user can perform Data Access Determine the data a user can see Governance Rules for access management Data Access Functional Access Governance

29. Classification of Controlled Products requires Trade Compliance reviewData Entitlements Functional Roles

31. Classification of Controlled Products requires Trade Compliance review2 1 3 1 3 1 3 5 6

32. Authorization Layers Subject 2 1 Functional Authorization Layer 1 3 1 3 3 Governance Data Authorization Layer 5 6 Resource

33. Authorization Toolbox Functional Authorization Layer SAP Authorization Concept Access Provisioning Custom Development Data Authorization Layer System Segregation Client Partitions SAP Authorization Concept PLM Access Control Model (ACM) Attribute Based Access Control (ABAC) Custom Development Governance SAP GRC Access & Process Control Identity Management Manual Authorization Management Procedures

34. SAP Authorization Concept Profile / Role Driven Role Based Access Control (RBAC) Functional Access Transactions, programs, services Data Access Up to 10 AND’ed authorization fields e.g. Company, Plant

36. Roles granted access to contextsGranular Data Authorization for PLM Root Context Line Org. Project Org. Standards Depart-ment A Project A Project B Internal Public

37. Attribute Based Access Control (ABAC) Subject Attributes User (e.g. Citizenship, Company) Computer Application Environment Attributes Time Connection Type Threat Level Resource Attributes Data Values Classification Content

38. Beware of Role Explosion Common mistake is to use Roles to Manage Data Entitlements “We have more roles than employees” Global companies have multiple access variables Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA) Multiple IP Control Agreements (e.g. PIEA, NDA) Multiple Applications and Systems (e.g. PLM, ERP, SharePoint) Traditional role based access control (RBAC) explodes based on the number of variables Required Access Rules Number of Access Variables

39. Fine Grain vs. Coarse Grain Data Entitlements ACC System Segregation Client Partitions Authorization Objects ACL ABAC Custom Development Coarse Grain Fine Grain

41. Classification of Controlled Products requires Trade Compliance review2 1 3 1 3 1 3 5 6

42. Mapping Requirements to Authorization Tools Understanding Global Deployment Authorization Requirements and Challenges Authorization Model – Clear Separation of Authorization Dimensions Introduction to the Authorization Toolbox

43. Next Step – Applied Authorization Part 2: Export Compliance Part 3: Secure Partner Collaboration

44. Co-organized by NextLabs and SAP NextLabs Overview Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and more secure internal and external collaboration Ensure proper access to applications and data Facts Locations HQ: San Mateo, CA New York, NY Hangzhou, PRC Malaysia 25+ Patent Portfolio Major go-to-market Partners: IBM, SAP, Microsoft “We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.” - Keng Lim, Chairman and CEO

45. Thank You! Questions? Ruth Stephens: 650-356-4801 ruth.stephens@nextlabs.com August 2 - Part 2: SAP authorization model for Export Compliance Sign-up: visit www.nextlabs.com