Part 1: The SAP authorization toolbox and models for access control In Part 1, we provide an overview of the existing SAP authorization mechanism – the SAP Authorization Toolbox, and introduce an authorization framework for applying access control.

1. Advanced Authorization for SAP Global Deployments Part I: The SAP authorization toolbox and models for access control Sandeep Chopra, Senior Product Mgr NextLabs, Inc.

2. Agenda Objective Review access control challenges of a global SAP deployment Describe a model for applying tools to address requirements Look at the some of tools in the authorization tool box Presentation Anatomy of a Global Deployment Access Control Requirements and Challenges The Authorization Toolbox A Pragmatic Authorization Model An Authorization Decision Map The Next Step – Applied Authorization Question and Answers

4. Multi Line of Business

7. Privacy

9. Helpdesk

11. External Access

12. Co-opetition

13. Multi Level Supply ChainCustomer Design Partners

14. Advanced Authorization Challenges Collaboration Security How do I share data and functions to enable global collaboration? How to I enable collaboration with external partners? How do I do more business around the world? How to I support systems 24/7 at the lowest cost? How do I limit access to data and functions for users in a specific region or LOB? How do I protect my company IP from leaking outside the company? How do ensure compliance with multiple global regulations? How do I control privileged IT users?

16. Multi Line of Business

19. Privacy

21. Helpdesk

23. External Access

24. Co-opetition

25. Multi Level Supply ChainCustomer Design Partners

26. Authorization Toolbox Physical Segregation Multiple instances Client Partitions RBAC SAP Authorization Concept Context-based Access PLM Access Control Model (ACM) Attribute Based Access Control (ABAC) Custom Development

27. Physical Segregation Separate Administration, Storage, IT Management ERP 1 SAP for Project ACME Project ACME Team Members Other Employees Project ACME Partners

28. SAP Authorization Concept Profile / Role Driven Role Based Access Control (RBAC) Functional Access Transactions, programs, services Data Access Up to 10 AND’ed authorization fields e.g. Company, Plant

30. Roles granted access to contextsGranular Data Authorization for PLM Root Context Line Org. Project Org. Standards Depart-ment A Project A Project B Internal Public

31. Attribute Based Access Control (ABAC) Subject Attributes User (e.g. Citizenship, Company) Computer Application Environment Attributes Time Connection Type Threat Level Resource Attributes Data Values Classification Content

32. Custom Development Considerations

33. Introducing the Authorization Framework 5. Choose the right tools for each layer 4. Develop Data Authorization Decision Map 3. Authorization Model Assessment for Data Entitlements 2. Develop Functional Authorization Map 1. Separate Functional, Data and Governance Requirements

34. Global Engineering Example Business Authorizations Design Engineers can create, edit, and view drawings and BOMs Engineering Services can create ECOs Engineering Managers and Engineering Services can View Drawings, BOMs, and ECOs Internal users can access all company product data Suppliers can only see their own product data Partner Co. can only work on Program X External partner accounts must be approved by partner manager Trade Compliance must classify all new materials

35. Business Authorization Dimensions Functional Access Determine the actions a user can perform Data Access Determine the data a user can see Governance Rules for access management Data Access Functional Access Governance

36. Authorization Layers

37. Functional Authorization Map Functional Roles

38. Data Authorization: The Right Tool for the Right Job Physical Segregation? Custom Engineering? RBAC? ACM? ABAC? RBAC is great for Functional access control What is right for Data access control? Depends on Authorization Complexity and Volatility

39. Complexity: Beware of Role Explosion A measure of how complex the authorization rules are to meet the control objective Different tools can handle different complexity Common mistake is to use Roles to manage Data Entitlements “We have more roles than employees” Global companies have multiple access variables, each with multiple values Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA) Multiple IP Control Agreements (e.g. PIEA, NDA) Multiple Applications and Systems (e.g. PLM, ERP, SharePoint) Traditional role based access control (RBAC) explodes with rule complexity ABAC is better for complex authorization situations compared to RBAC Required Access Rules Number of Access Variables

40. Volatility A measure of how likely or often authorization rules will change Environments where authorization rules change frequently Decentralized systems Companies active in M&A Frequent system upgrades In high volatility environments, Physical Segregation is not flexible enough Custom Dev is expensive as it drives up maintenance cost In volatile environments, RBAC, ABAC systems do better

41. What are my Data Authorization options? Data Authorization Decision Map

42. Mapping Requirements to Authorization Tools Understanding Global Deployment Authorization Requirements and Challenges Introduction to the Authorization Toolbox Authorization Framework – Clear Separation of Authorization Dimensions Authorization Decision Map

43. Next Step – Applied Authorization Part 2: Export Compliance How to assess Complexity and Volatility Export Control example Part 3: Secure Partner Collaboration Secure collaboration example Enterprise Authorization Considerations

44. Co-organized by NextLabs and SAP NextLabs Overview Policy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer and more secure internal and external collaboration Ensure proper access to applications and data Facts Locations HQ: San Mateo, CA New York, NY Hangzhou, PRC Malaysia 25+ Patent Portfolio Major go-to-market Partners: IBM, SAP, Microsoft “We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.” - Keng Lim, Chairman and CEO

45. Thank You! Questions? Ruth Stephens: 650-356-4801 ruth.stephens@nextlabs.com Part 2: SAP authorization model for Export Compliance Sign-up: visit www.nextlabs.com