Sci261- Sap Netweaver Identity Management - Workflow Configuration

Download Sci261- Sap Netweaver Identity Management - Workflow Configuration

Post on 06-Apr-2015

468 views

Category:

Documents

35 download

Embed Size (px)

TRANSCRIPT

<p>SCI261 SAP NetWeaver Identity Management 7.1 Workflow Configuration</p> <p>Kre Indry, Product Expert, SAP NW IdM Matt Kangas, SAP Technology RIG Americas Nghia Nguyen, SAP Technology RIG Americas Oliver Nocon, SAP Technology RIG EMEA</p> <p>October 2010</p> <p>Disclaimer</p> <p>This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.</p> <p> 2010 SAP AG. All rights reserved. / Page 2</p> <p>Agenda</p> <p>1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On</p> <p> 2010 SAP AG. All rights reserved. / Page 3</p> <p>Identity Management Definition</p> <p>SAP NetWeaver Identity Management</p> <p>Enables the efficient, secure and compliant execution of business processes</p> <p>By ensuring that the right users have the right access to the right systems at the right time</p> <p>Consistent with their roles across all systems and applications</p> <p> 2010 SAP AG. All rights reserved. / Page 4</p> <p>Typical User LifecycleChallenges: </p> <p>Long time to become productive Enormous costs and efforts Security leaks if employee leaves 7 years later 1 year later 3 weeks later</p> <p>8 years later</p> <p>10 years later</p> <p>Hire dateChuck Brown is promoted: Vice President Sales Chuck Brown resigns Chuck Brown still has access to the system</p> <p>Chuck Brown joins company</p> <p>Chuck Brown is able to work in accounting</p> <p>Chuck Brown transfers to sales</p> <p>Available: Available: </p> <p>Available: Available:</p> <p>Temporary accounts</p> <p>E-Mail Portal Internet Accounting</p> <p>E-Mail Portal Internet Accounting CRM (west) Marketing data (west)</p> <p>E-Mail Portal Internet Accounting CRM (global) Marketing data (global)</p> <p>All known accounts of Chuck Brown are deactivated</p> <p>Available: </p> <p>Accounting Marketing data (global)</p> <p> 2010 SAP AG. All rights reserved. / Page 5</p> <p>SAP NetWeaver Identity Management Holistic Approach</p> <p>e.g. on-boarding</p> <p>Compliance checks through GRC</p> <p>SAP Business Suite Integration</p> <p>Identity virtualization and identity as service</p> <p>Approval workflows Central Identity Store</p> <p>SAP BusinessObjects Access Control (GRC)Identity mgmt. monitoring &amp; audit</p> <p>SAP NetWeaver Identity Management</p> <p>Password management Rule-based assignment of business roles</p> <p>Provisioning to SAP and non-SAP systems</p> <p> 2010 SAP AG. All rights reserved. / Page 6</p> <p>Business Roles and Technical Roles</p> <p>Business RolesAre defined in the Identity Center Represent the business tasks of an employee Are usually defined as part of a business process Can be set up in hierarchies Are a combination of technical roles and/or other business roles Are usually assigned to end users </p> <p>Business RolesManager</p> <p>Accounting</p> <p>Employee</p> <p>Technical RolesRepresent access information or technical authorizations (e.g. ABAP authorization roles, UME roles, Portal roles, AD groups, ) Are usually uploaded from the target system Are system-specific Are usually represented as privileges in the Identity Center 2010 SAP AG. All rights reserved. / Page 7</p> <p>Technical RolesE-mail AD user End user(Portal role)</p> <p>Accounting(ABAP role)</p> <p>HR manager(ABAP role)</p> <p>E-Mail System</p> <p>Active Directory</p> <p>SAP Portal</p> <p>SAP FI</p> <p>SAP HR</p> <p>Role Definition and Provisioning</p> <p>Role Definition (design, one-time task)</p> <p>Read system access information (roles, groups, authorizations, etc.) from target systems Define a business role hierarchy Assign technical roles to business roles Develop rules for role assignments</p> <p>Business RolesManager</p> <p>Accounting</p> <p>Provisioning (regularly)</p> <p>Employee</p> <p>Assign or remove roles to/from people </p> <p>Through request/approval workflow Manually (administrator) Automatically, e.g. HR-driven</p> <p>Technical RolesE-mail AD user End user(Portal role)</p> <p>Automatic adjustment of master data and assignments of technical authorizations in target systems</p> <p>Accounting(ABAP role)</p> <p>HR manager(ABAP role)</p> <p>E-Mail System</p> <p>Active Directory</p> <p>SAP Portal</p> <p>SAP FI</p> <p>SAP HR</p> <p> 2010 SAP AG. All rights reserved. / Page 8</p> <p>Workflows OverviewOperates on entries in the identity storeManual interactions through Web interface Start provisioning tasks Approve requests Monitor statusRules Roles Identity Store Workflow Engine</p> <p>Provisioning Engine</p> <p>Workflows can be started from: </p> <p>Web interface Event tasks Change of privilege assignments Meta directory operationsUser</p> <p>ApplicationsBusiness Process Owner</p> <p>Inform 5 1 Request Identity Center</p> <p>Alert 2 3 Approve</p> <p>Processing logic includes: </p> <p>Sequential operation Parallel operation Conditional operation Approval operation</p> <p>4</p> <p>Provisioning</p> <p>Applications 2010 SAP AG. All rights reserved. / Page 9</p> <p>Agenda</p> <p>1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On</p> <p> 2010 SAP AG. All rights reserved. / Page 10</p> <p>SAP NetWeaver Identity Management User InterfaceStandalone UI:</p> <p>Accessible through http://:/idm</p> <p>Through Portal:</p> <p>Role: portal_content/com.sap.idm.identity_management_folder/com.sap.idm.identity_management_role</p> <p> 2010 SAP AG. All rights reserved. / Page 11</p> <p>Self Service Tasks</p> <p>Self-services </p> <p>Available through "Self Services" tab in the IdM UI Tasks which can be executed on the user's behalf List only shows tasks which a user has permissions for</p> <p> 2010 SAP AG. All rights reserved. / Page 12</p> <p>Approvals</p> <p>To Dos / Approvals </p> <p>Available through "To Do" tab in the IdM UI Request items which require actions List only shows items which are assigned to the logged in user</p> <p> 2010 SAP AG. All rights reserved. / Page 13</p> <p>Manage Tasks</p> <p>Manage </p> <p>Available through "Manage" tab in the IdM UI Tasks which can be executed on entries (e.g. Persons, Roles) Task list only shows tasks which a user has permissions for</p> <p> 2010 SAP AG. All rights reserved. / Page 14</p> <p>Favorites for Managing Entries</p> <p>Users can set their personal favorites for quick access to specific tasks</p> <p>Favorites appear as "quick link" buttons</p> <p>Favorites can be added through the task selection by "Add to Favorites" Favorites are stored in user attribute "MX_USER_PREFS"</p> <p> 2010 SAP AG. All rights reserved. / Page 15</p> <p>Agenda</p> <p>1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On</p> <p> 2010 SAP AG. All rights reserved. / Page 16</p> <p>Structuring Tasks</p> <p>You can structure tasks using folders this will be reflected in the UI</p> <p>No access permissions set</p> <p>Visibility can be controlled on folder level Important: sub-folders can also serve as entry points by disabling parent folders</p> <p> 2010 SAP AG. All rights reserved. / Page 17</p> <p>Search &amp; Display Tasks</p> <p>Advanced Search</p> <p> 2010 SAP AG. All rights reserved. / Page 18</p> <p>Configuring the Search Result</p> <p> 2010 SAP AG. All rights reserved. / Page 19</p> <p>Additional Options for Display Attributes</p> <p>Validity </p> <p>Validity setting for assignments Valid from / valid to For MXREF_ attributes only</p> <p>Reason </p> <p>Displays assignment reason field Possible values </p> <p>No Optional Mandatory</p> <p>For MXREF-attributes only</p> <p>Diagram </p> <p>Enables display of hierarchy diagram For MXREF_MXROLE only</p> <p> 2010 SAP AG. All rights reserved. / Page 20</p> <p>Attribute Presentation</p> <p> 2010 SAP AG. All rights reserved. / Page 21</p> <p>Attribute PresentationExamples - 1 SingleLine MultiLine</p> <p>SingleSelect MultiSelect</p> <p>Boolean Referral File 2010 SAP AG. All rights reserved. / Page 22</p> <p>Attribute PresentationExamples - 2 Lookup</p> <p>Radio button Mail Date</p> <p> 2010 SAP AG. All rights reserved. / Page 23</p> <p>Attribute PresentationExamples - 3 ObjectValueHelp</p> <p> 2010 SAP AG. All rights reserved. / Page 24</p> <p>Layout Example</p> <p>Personal Data Unique ID: Display Name: First Name: Last Name: Address: City: Country Key:</p> <p>Account Information</p> <p>Communication Data Primary E-Mail: Additional E-Mails:</p> <p>Primary Telephone Number: Additional Telephone Numbers:</p> <p> 2010 SAP AG. All rights reserved. / Page 25</p> <p>UI Task Configuration</p> <p>Configure UI attributes &amp; elements</p> <p>Add UI elements</p> <p> 2010 SAP AG. All rights reserved. / Page 26</p> <p>Resulting Screen</p> <p> 2010 SAP AG. All rights reserved. / Page 27</p> <p>Additional Task Display Configurationb</p> <p>a e d c</p> <p>a b c g f</p> <p>d</p> <p>e f g 2010 SAP AG. All rights reserved. / Page 28</p> <p>"" = internationalization</p> <p>Displaying Additional Information</p> <p>A UI task can be configured to show additional information: </p> <p>Pending values (in a separate tab) Historic values (in a separate tab) All attributes and values of a user (in a separate tab)</p> <p>This is especially useful for monitoring purposes</p> <p> 2010 SAP AG. All rights reserved. / Page 29</p> <p>Agenda</p> <p>1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On</p> <p> 2010 SAP AG. All rights reserved. / Page 30</p> <p>UI Permissions</p> <p>Self Services Tab</p> <p>UME action "idm_authenticated" this action controls general access to the IdM UI ( minimum requirement) IdM privilege "MX_PRIV:WD:TAB_TODO" Shows workflow items IdM privilege "MX_PRIV:WD:TAB_MANAGE" Allows entry administration</p> <p>To Do Tab </p> <p>Manage Tab </p> <p>View Reports Tab </p> <p>IdM privilege "MX_PRIV:WD:TAB_REPORT" Shows reports available IdM privilege "MX_PRIV:WD:TAB_HISTORY" Shows information about past approvals, self-service tasks and management tasks UME action "idm_monitoring_administration" Access to monitoring information</p> <p>History Tab </p> <p>Monitoring Tab </p> <p> 2010 SAP AG. All rights reserved. / Page 31</p> <p>Task Access Control</p> <p>Configure who is allowed to access a specific task</p> <p> 2010 SAP AG. All rights reserved. / Page 32</p> <p>Access ControlDetails Possible options for "Allow access for" </p> <p>Anonymous Logged-in user or identity store entry Referral</p> <p>Possible options for "On behalf of" </p> <p>Everybody administer everybody User or identity store entry self-service Filter administer only entries according to a SQL statement </p> <p>This option is only available when "simplified access control" is disabled Usage of filter is discouraged since it could create performance problems</p> <p>Relation Self self-service Relation Manager manager of the object (MX_MANAGER) Relation Owner owner of the object (MX_OWNER) Relation Manager owner of an assigned to object Relation Member member of an Relation Member of same role/privilege/ same role assigned</p> <p> 2010 SAP AG. All rights reserved. / Page 33</p> <p>Anonymous Access to Tasks</p> <p>Task must create a new entry Configuring anonymous access</p> <p>Accessing the tasks</p> <p>Access to anonymous tasks:http://:/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/AnonymousService</p> <p>Direct task access:http://:/webdynpro/dispatcher/sap.com/tc~idm~wd~workflow/AnonymousEditTask?TaskId=</p> <p> 2010 SAP AG. All rights reserved. / Page 34</p> <p>Access Limitations on Entries</p> <p>Limit which users are allowed to see which information: </p> <p>Search attribute attribute on the entry which is being searched User attribute attribute on the user performing the search</p> <p> 2010 SAP AG. All rights reserved. / Page 35</p> <p>Access LimitationsExample Example configuration: </p> <p>Search attribute: COMPANY_NAME User attribute: COMPANY_NAME</p> <p>Result: </p> <p>User A can see/search for user A, B and C User B can see/search for user A, B and C User C can see/search for user A, B, C and D User D can see/search for user C and D</p> <p>A</p> <p>B</p> <p>D</p> <p>Company 1C</p> <p>Company 2</p> <p> 2010 SAP AG. All rights reserved. / Page 36</p> <p>Agenda</p> <p>1. SAP NetWeaver Identity Management Overview 2. SAP NetWeaver 7.1: UI Overview 3. Layout Configuration 4. Permission Configuration 5. Approvals 6. Provisioning Task Design 7. Approval Mechanisms 8. Hands-On</p> <p> 2010 SAP AG. All rights reserved. / Page 37</p> <p>About Pending Value Objects (PVO)A pending value object is an entry with entry type MX_PENDING_VALUE. It holds an attribute value which will be set (or removed) on the entry in the future. </p> <p>Always belongs to another entry (of any type) within the identity store A single pending value object holds only one attribute/value pair MX_ENTRY_REFERENCE attribute holds the reference to the owner entry </p> <p>MX_ATTRIBUTE_NAME holds the attribute to be written MX_ATTRIBUTE_VALUE hold the values to be written</p> <p>Used for:</p> <p>Time limited attributes (primarily for roles). In this case the pending value object holds the valid from and valid to dates. Several time schedules for a time limited attributes (i.e. January 1 - January 15 and February 1 - February 14). This is achieved by having multiple pending value objects for the same attribute. General disabling of attributes. Approval of role and privilege assignments. In this case the pending value object holds the approvers and also the approval information. The approvers are automatically copied from the MX_OWNER attribute of the role or privilege (default).</p> <p> 2010 SAP AG. All rights reserved. / Page 38</p> <p>PVO and ApprovalsApproval usage </p> <p>MX_PENDING_VALUE is typically used for approvals of assignments (privileges/roles) Approval task is defined as MX_ADD_MEMBER_TASK / MX_DEL_MEMBER_TASK MX_PENDING_VALUE object is automatically created by the system</p> <p>The pending value will only be applied after successful completion of the approval task</p> <p>MX_VALIDFROM and MX_VALIDTO</p> <p>Hold information about when the entry is valid (and thus enabled) and when the entry is no longer valid (and needs to be removed) </p> <p>When the validFrom arrives, the attribute value will be added to the entry If validTo is defined, this sets the expiryTime which means that the attribute will be deleted at this time</p> <p>The MX_PENDING_VALUE record that was holding the information is then deleted (but kept in old values)</p> <p>The function uApplyPending is used to approve or decline a pending value.</p> <p> 2010 SAP AG. All rights reserved. / Page 39</p> <p>PVO Example: Role Assignment with Approval</p> <p>1 Role</p> <p>3</p> <p>User 3001</p> <p>Requ...</p>