Identity Manager

Identity Manager

SAP Certified Powered by SAP NetWeaver

The Identiy Manger is a component of our software package SUIM-AIM and is SAP certified

User- and Identity-Management for SAP– and Non-SAP-Systems

The Big Picture

The Identity Manager (IM) is a centralized User Management System.

im_lifecycle

The Identity Manager (IM) covers all the key processes for safe and efficient User Management. Including:

  • Creating an Identity
  • Implementing modifications
  • Maintaining Properties (Field values) of an Identity
  • Locking / unlocking Identity * Setting/ Changing identity checks
  • Password-Management
  • Reconciliation

These actions can be centralized through a request in the IM enabling the real-time data distribution across desired target systems.

  • The Identities on the different systems are continually synchronized based on defined rules (Mapping) and customer processes.
  • The Mapping defines which system operates as the “Master” for any given set of parameters.
  • The Application– and Authorization-Process for an Identity is supported by a workflow, rendering paper forms unnecessary. The workflow also offers the basis to potentially decentralize User-Management.
  • Due to the integration of AM/AMSO, the authority allocation to Professional– and CC SAP Users can also be done centrally.
  • The integration of CE means that the pre-defined risks of the SAP Users on all the systems can be analyzed.
  • The User Administrator has a wide range of Analysis-Functions and Administration-Tools at his disposal.

Highlights

IM –Modularity to suit every Organization Structure

  • The company can be split and managed in any number of subsidiaries.
  • Each subsidiary can define its own encapsulation (permitted field values, own processes, own rules, own people responsible, own identity master data).
  • On an identity change from one organization to another, the standard values (printer, rights, etc.) of the new organization automatically assigned.

IM – Process Integration (API)

  • Via predefined interfaces and events enable customers wishes and processes to be defined within Identity Management for each system.
  • What is initiated at e.g. a discharge? Which identities (SAP-User, Business Partner, essential Personnel) are affected by the change?

IM – Meta-Directory

  • The Meta-Directory allows the definition and linkage of any number of attributes, long texts, binary data and attachments in an identity.
  • These attributes can be used within the API.

IM – Customizing-Wizards

  • A simple and structured Customizing-Guide is included.
  • With it the organizations, the mapping rules as well as the API-Processes can be defined individually.

IM – HR Trigger/Integration

  • With HR-Events, the master data of an Identity can automatically be overwritten out of the HR.
  • User master data can be automatically updated to reflect changes to attributes such as entry, discharge, transfer or name changes.

IM – Active Directory/Third-Party Product Integration

  • With the LDAP-Connectors, one or more Active Directories can be connected to the IM.
  • Desired AD-Attributes can be read as well as managed.
  • Third-Party Products, e.g. Lotus Notes, can be connected using a Connector.

IM – Workflows und Reconciliation

  • The IM provides a central request.
  • Real or triggered changes can be granted via Workflow.

IM – History

  • Due to the central management, a system wide request and change history is available.

IM – Integration of AM, AMSO und CE

  • IM allows the integration of the Access-Manager and the Access-Manager for Support Organization directly in one identity request. Due to this integration the predefined authorization processes are supported.
  • The integration of the Compliance Enforcer means that predefined risks and SoD-Rules can be checked system wide per identity.

Identity Manager: a Functional overview

Identity-Request

The IM-Request allows a decentralized user administration with the optional execution of one or more approval and quality assurance steps, before a user is created or modified on a system.

With the IM-Request, one can see the current state (Existence, blocking, state, attribute, etc.) of a User on an overview mask over the entire system landscape of an IM-Organization.

im_cim_account

Main functions

  • Requesting user changes:
    • choice of user attributes (Name, Company, desired Systems, etc.) as well as the action (create, lock, password replication, etc.).
    • distribution of the request; respectively distribution of the request by authorization.
  • Usernames can be checked to comply a defined naming convention of the IM-Organization.
  • Risk/SoD violations of SAP-User per system can be checked directly in the IM.
  • Request and distribution of Access Manger/Access Manager for Support Organisations authorization.
  • Action log: Display change records as well as the application log of the selected IM-Identity.

For that purpose IM uses the extensive risk and SoD control mechanisms of the Compliance Enforcer.

The rules and risks defined in the Compliance Enforcer ensure the recognition of potential risks.

In case of a risk, IM generates a Workflow Message which is forwarded to the responsible decider.

User Lifecycle: IM-Workflow

IM-Standard-Request process

im_workflow

  • In the optimal standard process, a workflow is initiated when a Super-User files a request for a new user.
  • The Supervisors receives a request for the new employee. In his inbox. He/she checks the request and adds additional information, if necessary. On saving, the request is released. The work item disappears from the inbox.
  • Based on customized settings the supervisor assigns simultaneously the required rights in the integrated Access Manager.
  • The employee has now a mail with all the accounts on the various SAP– and Non-SAP-Systems as well as the generated initial passwords.

im_workplace

IM Customizing

Organizational encapsulation

The organizational encapsulation can be completely adapted by the IM to fit the different needs of your company. The arrangement is possible on the basis of different combinable parameters, such as an accounti number or personnel subarea, and allows a precise mapping of the organizational reality. Due to the complete support of the organizational dependency of the IM, user administration can be done in a decentralized manner, thus lowering the load on central services and speeding up the process.

Mapping Rules

The IM-Context-Definitions-Wizard allows the linkage of IM-Attributes from different applications. That is the base responsibility of a matching mechanism to ensure the consistency of all attributes of an identity.

The action for the identity distribution is defined in the context of each attribute. E.g. ithe attribute „first name“ from the HR-System (Info type 0002) imported in the IM (Field CIM-FIRST_NAME), it is exported to the attached SAP systems (Field ADDR-NACHN) and as suggested value in the Active Directory (Field given_name).

im_manage_rule

im_cim_context

This definition is done for each attribute

This philosophy means that the IM does not have to be the central system for each attribute. For some attributes it makes sense to yield the lead to an existing system. With that, IM guarantees that all managed attributes are kept up to date and ensures consistency. IM will assure that specific attributes stay consistent in the entire system landscape.

cim_attributes

Reorganization und Quality management of User-Attributes

Project rollouts, reorganizations, fusions or takeovers can cause a high workload in for user administration. Given how critical system security and user management is to the success of these events, IM offers high performing tools for reliable and efficient mass processing.

Quality management and User-Consistency-Check

  • The IM-Reconciliation and mass distribution generates all Users covered by IM-Customizing defined structuraland organizational elements without manual effort.
  • Three Reconciliation-Triggers are available; SAP , HR and Active Directory Reconciliation. Each of these Triggers can cover individual processes of the customer, via the IM-Context-Definition-Wizard, and the implementation of customer specific methods.
  • The Mass-Distribution-Tool can distribute the Identity to all desired target systems.
  • A cross system comparison of SAP-Users offers an overview of the current state (incl. last login, password state, blocking state, etc. ) of the Users.

im_compare-users

Replicate Company-Address system wide

  • With the IM-Administration-Tool the state and the existence of the Companies-Address can be checked and distributed system wide.

Replicate User-Groups system wide

  • With an IM-Administration-Tool the state and the existence of the User-Group and short text can be checked and distributed system wide.

Integrate / remove System in IM

  • The system landscape and organizations of a customer are constantly changing
  • System utilization analysis and wizards allow the easy integration of a system in the IM-Customizing.
  • Wizards also enable the integration or removal of IM-Organizations in the entire Identity Management Solution.