Post on 29-Jan-2018
transcript
Session ID: SCUR102User Management and Authorizations Overview
© SAP AG 2004, SAP TechEd / SCUR102 / 2
Contributing Speakers
TechEd San Diego:
Larry JusticeSecurity Consultant, SAP America
Jens KosterSecurity Product Manager, SAP AG
Gerlinde ZibulskiSecurity Product Manager, SAP Labs LLC
TechEd Munich:
Frank BuchholzSecurity Product Manager, SAP AG
Jens KosterSecurity Product Manager, SAP AG
Oliver NoconPortal RIG Consultant, SAP AG
© SAP AG 2004, SAP TechEd / SCUR102 / 3
Agenda
Identity and Role Management with SAP
Central User Administration
Directory Integration
Portal User Management Engine
User and Role Management for J2EE Web Applications
User Management Engine
J2EE Security Roles
UME Roles
SAP’s Strategy for Identity Management
Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 4
Learning Objectives
As a result of this workshop, you will understand the concepts behind:
User management with SAP including Central User Administration
Directory integration
User Management Engine
Portal roles
Role management in ABAP and Java-based systems
© SAP AG 2004, SAP TechEd / SCUR102 / 5
Agenda
Identity and Role Management with SAP
Central User Administration
Directory Integration
Portal User Management Engine
User and Role Management for J2EE Web Applications
User Management Engine
J2EE Security Roles
UME Roles
SAP’s Strategy for Identity Management
Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 6
Manage the individual's profile and relationships in heterogeneous and federated landscapes
Provide services and delegated administration features for Authentication (policy-based)
Single sign-on
Authorization (policy-based)
Profile management
Provisioning for legacy systems
IM done through one centralized component
SAP R/3 NetworkOS
Ext. access HR Other apps.
Central Identity Management
Identity Management: Customers’ Vision
© SAP AG 2004, SAP TechEd / SCUR102 / 7
Decentralized User Maintenance
Each SAP System has its own user data store
Decentralized user maintenance
Inconsistencies can occur between address data
SAP R/3Enterprise
SAPEBP
SAPBW
SAPAPO
SAP…
© SAP AG 2004, SAP TechEd / SCUR102 / 8
CUA central system SAP release as of 4.6C
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Central User Administration
Users can be administrated in central SAP system
Automatic distribution to client SAP systems
Local administration still possible (back distribution)
No inconsistencies
Central locks possible
© SAP AG 2004, SAP TechEd / SCUR102 / 9
Service RepMenu
Menu: Transactions Web links, reportsEtc.
CompositeRole
User SingleRole
AuthorizationData
1:nm:nm:n
ABAP Roles
Single roles (and the corresponding authorization profiles) are created in the CUA client systems.
Menu: TransactionsWeb links, reportsEtc.
Authorizations
Composite roles can be used either in the CUA client systems or in the CUA central system.
ABAP Role Implementation Approach
© SAP AG 2004, SAP TechEd / SCUR102 / 10
Portal Roles
A portal role is a container for applications and information that can be assigned to a particular group of users.
The content of a role enables users to perform the tasks belonging to their job description.
The content of a portal role is based on the company structure and on the information needs of the portal users in the company.
The portal navigation structure is defined by the sum of the roles assigned to the user.
Technically, a role is a hierarchy of folders containing other portal content objects.
Roles can be assigned to users or groups of users, i.e. the portal role connects users (or groups of users) to the portal content.
Introduction of Worksets as a new layerin a role hierarchy.
User Group 2
Role A
User Group 1
Role Assignment
© SAP AG 2004, SAP TechEd / SCUR102 / 11
User Management – Directory Integration
HR
Telephony
Operatingsystem
Otherapplications
Meta-Directory
Central UserAdministration
© SAP AG 2004, SAP TechEd / SCUR102 / 12
Directory Benefits
Directories serve as central repository for master data, which is used by several different applications.
Modifications on this data can be done by every authorized application.
Access to this data is provided using the standardized Lightweight Directory Access Protocol(LDAP).
Hundreds of other application and hardware suppliers support this protocol.
SAP systems can be connected to such a directory to share parts of their user data or database content (e.g. HR data) with other applications.
© SAP AG 2004, SAP TechEd / SCUR102 / 13
HR Data Replication from SAP in an LDAP-Enabled Directory Service
HR-system 4.0 and higherwith Plug-In System (PI 2001.2)4.5 with Plug-In System (Pl 2001.2)
Data Retrieval in Personnel Management via Queriy or ABAP-
Report
SAP Web AS as of 6.10Directory
Replication
RFC
As of 4.70 HR can be connected directly to the LDAP directory
© SAP AG 2004, SAP TechEd / SCUR102 / 14
LDAPsynchronization
CUA central system SAP release as of 6.10
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Directory
Central User Administration & LDAP Synchronization
© SAP AG 2004, SAP TechEd / SCUR102 / 15
Enterprise Portalwith User Management
Engine (UME)
LDAPsynchronization
CUA central system SAP release as of 6.10
ALE ALE
SAP 6.xCUA client
SAP 4.6CUA client
SAP 4.5CUA client
Persistencestore
Directory
CUA & LDAP Synchronization & Enterprise Portal
© SAP AG 2004, SAP TechEd / SCUR102 / 16
SAPNetWeaver Portal Infrastructure
Role-based, …
…and Web-based…
…access to any kindof applications, information and
servicesERP CRM …
…secure…
SAP Enterprise Portal 6.0SAP Enterprise Portal 6.0
Authentication
Sales Manager
Line Manager
Business Developer
Docs*
*covered by KM
Single Sign On
© SAP AG 2004, SAP TechEd / SCUR102 / 17
SAP NetWeaver Powers mySAP SolutionsRole-Specific, Easy Access to All Systems
Employee Self Service Role(SAP ERP)
Manager Self Service Role(SAP ERP)
© SAP AG 2004, SAP TechEd / SCUR102 / 18
SAP Enterprise
Portal
Applications Accessing User Management
User Management Core Layer
Persistence Manager
Database
Replication Manager
LDAP Directory
SAP System
External System
Persistence Adapters
User API
User Account
API
Group API
Role API
Architecture Overview – User Management Engine
User Persistence Store
© SAP AG 2004, SAP TechEd / SCUR102 / 19
Main Role Concepts in SAP NetWeaver
Single and composite
roles in ABAP-based
systems
Portalroles
SAP Enterprise Portal
Generate Authorization Roles in ABAP from User Interface Roles in the Portal
Roles in ABAP-based systems(roles in transaction PFCG)
© SAP AG 2004, SAP TechEd / SCUR102 / 20
ABAP Roles and Portal Roles: A Comparison
Portal Roles carry the user interface information but (almost) no authorization information.
Portal roles cannot be used in the Portal environment to create authorizations for the backend systems.
Authorizations must still be maintained in the backend system.
Roles (single roles) carry authorization information.
The Profile Generator is part of role administration in transaction PFCG.
The content of Authorization Roles can be generated using the definition of Portal Roles
Portal RolesABAP Roles
© SAP AG 2004, SAP TechEd / SCUR102 / 21
Agenda
Identity and Role Management with SAP
Central User Administration
Directory Integration
Portal User Management Engine
User and Role Management for J2EE Web Applications
User Management Engine
J2EE Security Roles
UME Roles
SAP’s Strategy for Identity Management
Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 22
UME
DatabaseLDAP
Directory
ABAP
Stack
SAP
J2EE
Engine
Usage of UME by applications in SAP J2EE 6.40
© SAP AG 2004, SAP TechEd / SCUR102 / 23
J2EE Security Security Models
J2EE supports two different security models
Declarative securityAccess control linked to the resource
Decouples access control from application logic
Easy to implement and maintain
Programmatic securityAccess control within Java code
More flexible but linked to application logic
More work to implement
© SAP AG 2004, SAP TechEd / SCUR102 / 24
J2EE Role Concept (Example) - Declarative Security
EJBe.g. Address
change display
RoleChange
RoleDisplay
Usergroup Change Usergroup Display
User1 User2
JAR
EAR
© SAP AG 2004, SAP TechEd / SCUR102 / 25
UME Role Concept – Programmatic Security
Permission1 Permission2 Permission3
Action1Action2
Permission4 Permission5 Permission6
Action3Action4
Application1 Application2
UME Role 1 UME Role 2
User or Group User or Group
© SAP AG 2004, SAP TechEd / SCUR102 / 26
Agenda
Identity and Role Management with SAP
Central User Administration
Directory Integration
Portal User Management Engine
User and Role Management for J2EE Web Applications
User Management Engine
J2EE Security Roles
UME Roles
SAP’s strategy for Identity Management
Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 27
Access management:
Centralized access control decision, to be enforced in all components
ApplicationInfrastructure
Business ProcessInformation
Web ServicesChoreography
Administration Workflow
Business Partner Integration
Organizational Structure
Provisioning of User Info
Single Sign-On
Provisioning ofAuthorization Info
User Lifecycle Mgmt
Authentication
Attribute Federation
Access Control
SAP Applications
Identity Management:
Managing attributes of identities for a complex landscape, incl. those needed for security
“Legacy“ Integration Option
Policy Definition
Policy Enforcement Non-SAPApplications
Players: Identity and Access Management
© SAP AG 2004, SAP TechEd / SCUR102 / 28
Access Control Engines
Rules and RolesAdministration
IdentityProviderAttributeProvider
Identity Administration
Sec
uri
ty K
ern
el
SAML, Liberty,WS-FederationAttribute information
SAMLAttribute information &authorization decisions
XACMLBusiness rules enquiries
SAMLAuthorization decisions
XrMLObject rights provisioning
LDAP, DSMLSPML
User provisioning
Standards: Identity and Access Management
© SAP AG 2004, SAP TechEd / SCUR102 / 29
Agenda
Identity and Role Management with SAP
Central User Administration
Directory Integration
Portal User Management Engine
User and Role Management for J2EE Web Applications
User Management Engine
J2EE Security Roles
UME Roles
SAP’s strategy for Identity Management
Summary
© SAP AG 2004, SAP TechEd / SCUR102 / 30
Summary
SAP leverages various user persistence store options
SAP allows for roles and authorizations with appropriate strength
SAP further enhances its Identity Management features and functions
SAP plans to develop its own solution for the external user account provisioning application (for SAP and non-SAP applications) based on NetWeaver
The existing applications (Portal User Management Engine / Central User Administration / Directory Integration) will be an integral part of the new solution
Please note that this document is subject to change and may be changed by SAP atany time without notice. The document is not intended to be binding upon SAP to anyparticular course of business, product strategy and/or development.
© SAP AG 2004, SAP TechEd / SCUR102 / 31
Further Information (San Diego)
Public Web:www.sap.com
SAP Developer Network: www.sdn.sap.com SAP NetWeaver Platform Security
SAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2004SCUR351, User Management and Authorizations : The DetailsWed, 2:00 PM - 6:00 PM, 31A
Fri, 8:00 AM - 12:00 PM, 30D
SCUR101, Security BasicsTue, 1:30 PM - 2:30 PM, 2Wed, 4:00 PM - 5:00 PM, 4
SCUR251, Single Sign-On in Heterogeneous LandscapesWed, 10:30 AM - 12:30 PM, 30CThu, 1:45 PM - 3:45 PM, 30A
SCUR202, Security Optimization ServiceWed, 9:15 AM - 10:15 AM, 6CThu, 9:15 AM - 10:15 AM, 9
PRTL152, Portal Roles – Roles vs. AuthorizationsWed, 1:45 PM - 3:45 PM, 30AThu, 8:00 AM - 10:00 AM, 30B
Related SAP Education Training Opportunitieshttp://www.sap.com/usa/education/ ADM940-960
© SAP AG 2004, SAP TechEd / SCUR102 / 32
Further Information (Munich)
Public Web:www.sap.com
SAP Developer Network: www.sdn.sap.com SAP Netweaver Platform Security
SAP Customer Services Network: www.sap.com/services/
Related Workshops/Lectures at SAP TechEd 2004SCUR351, User Management and Authorizations: The DetailsThu, 9:00 AM - 1:00 PM, HO01
SCUR202, Security Optimization ServiceWed, 5:00 PM - 6:00 PM, L1
Related SAP Education Training Opportunitieshttp://www.sap.com/education/ ADM940-960
© SAP AG 2004, SAP TechEd / SCUR102 / 33
SAP Developer Network
Look for SAP TechEd ’04 presentations and videos on the SAP Developer Network.
Coming in December.
http://www.sdn.sap.com/
© SAP AG 2004, SAP TechEd / SCUR102 / 34
Q&A
Questions?
security@sap.com
URL: http://service.sap.com/security
© SAP AG 2004, SAP TechEd / SCUR102 / 35
Please complete your session evaluation.
Be courteous — deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !
© SAP AG 2004, SAP TechEd / SCUR102 / 36
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Copyright 2004 SAP AG. All Rights Reserved