The key to rapid, complete and compliant access provisioning, SAP IdM provides a single authorative view of the access available to every individual in your organisation. It also lets you know when the access was assigned – and who approved it. It enables access to be provisioned and deprovisioned automatically.
The result? People can work productively within hours of starting a new job. And access can be disabled quickly and effectively when someone leaves or changes role.
SAP Netweaver Identity Management provides the following key capabilities:
Single and consistent user identity provisioningSAP and non-SAP user access provisioning and de-provisioningWorkflow based approval processingSegregation of duties compliance managementPassword reset self-serviceLess risk, lower costs
SAP IdM reduces operational risk by eliminating access creep and bringing access provisioning in line with segregation of duties requirements. It also cuts the cost of IT support and business operations using smart features like data synchronisation, workflow driven processes and self service password resets.
Because SAP IdM is included in your SAP licensing costs, you don’t have to pay an additional license or maintenance fee when you use it within your SAP environment. The product is the replacement for SAP Central User Administration (CUA) – and SAP recommends you implement IdM rather than CUA.
As an extra benefit, SAP IdM can integrate with 3rd party identity management solutions that don’t interface well with SAP systems – giving you a cost effective way to bridge the gap between non SAP IdM systems and the SAP landscape.
Identity provisioning
User data is often held and maintained in different systems – first name, last name and personnel number in SAP HCM, email address in Active Directory, phone number in an access database etc.
SAP IdM combines all this data into a single, consistent identity, which is sent to all connected systems – both SAP and non-SAP - that need to know about the identity – and updated automatically whenever the source system data changes.
User access provisioning
Access provisioning generates a user account within each system the user needs to do their job. With SAP IdM you can gather together the technical SAP roles, Active Directory groups, portal roles etc into meaningful sets of enterprise roles with a business context easily understood by the user community.
These enterprise roles cross system boundaries, allowing provisioning of access to multiple systems through a single request. This access can be provisioned automatically – or passed through an approval workflow in SAP IdM first.
Workflow based approval processing
SAP IdM can improve identity and provisioning processes through workflow based approvals, enabling IT operations to adhere to strict service levels – and cutting costs significantly.
Segregation of duties
SAP IdM lets you set up mutual exclusions between business roles where there is a known segregation of duties conflict – so these roles can’t be assigned to the same identity. If you need more advanced functionality, you can pass a segregation of duties check to a third party system or with standard interfaces to SAP GRC Access Control.
Within GRC Access Control, the Risk Analysis and Remediation (RAR) component can provide a detailed segregation of duties check on the roles being assigned, down to the object and transaction code level. If the assignment is approved in GRC Access Control, SAP IdM will provision the access.
User password management
Password management can be a costly business – from staffing a service desk to handle reset requests to lost productivity when users can’t access the system. SAP IdM provides two pieces of password functionality that help reduce costs by giving the user a single password across the enterprise – and the ability to manage this password themselves.
Password self service – By answering some simple questions on a self service portal, a user can reset their password across all the systems managed by SAP IdM.Active Directory password hook – When a password is changed in Active Directory, the new password can be automatically provisioned to some or all of the systems managed by SAP IdM.
No comments:
Post a Comment