1Copyright © 2012, Oracle and/or its affiliates. All

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal1

Timm Seitz Senior ArchitectOracle Solution Center SAP Competence

Oracle Identity Management

Oracle Identity Manager for SAPOracle Identity Manager for SAP

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.3

Agenda

Identity Management - The Big Picture -

Overview Oracle Identity Manager for SAP

Integration OIM with SAP BO AC V10

Conclusion/Summary

Q&A


Identity Management

- The Big Picture -


ERP...


IdM: “Technology” Areas of Conflict


ERP

Identity Management Portfolio – 11gR2


Oracle's Commitment to the SAP business

OracleDatabase

ServicesServices

HardwareHardware

Server OSServer OS

VirtualizationVirtualization

InfrastructureInfrastructureSoftwareSoftware


Oracle SAP CompetenceThe SAP Competence team within Oracle Corp.

SAPSupport Center

SAP OSCArchitects

SAP- ISVEngineering

Oracle/SAPDatabase

SAPMarket Dev.

Head of business: SAP Alliance and Channel Management

Oracle’s Global SAPCompetence Center

SAP CertifiedSAP Certified technologies

One pointOne point of accountability

SAP CustomerSAP Customerfocusedfocused solutions

ServicesServices defined to work together

Direct or Direct or indirectindirect

Customer Customer supportsupport

SAPStorage Experts

Overall around 70 people only in Walldorf/GER – HQ SAP

OSC4SAP = Sub-division/Part of the global SAP Competence Center


Oracle Identity Manager

for SAP


Identity Management by Oracle


Identity Management for SAP

• Oracle Identity Manager for SAP

• Access request management

• Provisioning/De-Provisioning

• SAP specific SoD checks

• Oracle Database for SAP

• DB Security/Vault

• Oracle Access Manager

• SAP NetWeaver Enterprise Portal

• SAML 2.0 / SSO

• Oracle Enterprise SSO for SAP

• Passlogix

• SAP GUI SSO

In-scope Out-of-scope


OIM SAP Connectors as of May 2013

Oracle Identity Manager for SAP

TrustedSource

OIM /OW

TargetSystem

Common Connectors Common Connectors

R

P

TSR

Oracle Identity Manager – ICF - Server

Connector SAP Connector

Waveset OIM

API

SPI

• Available SAP specific connectors:

• SAP UM Connector

• Standard SAP Provisioning +

• Including SAP CUA support

• Including SAP BO AC 5.3 support

• Including SAP BO AC V10 support

• SAP UME Connector

• Standard SAP Provisioning +

• Including SAP Federated Portal support

• Including SAP BO AC 5.3 support

• Including SAP BO AC V10 support

• SAP Employee Reconciliation Connector

• Specific SAP HCM/HR Connector


Oracle Identity Manager – SAP User Management Connector (May 2013)


• Basic mode/functions:

• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV

• Supported provisioning methods:

• Direct provisioning (OIM admin only driven)

• Request-based provisioning (OIM user driven)

• Access policy change provisioning (OIM automatic driven)

• Using official SAP BAPIs for all SAP target provisioning/account operations

SAPBAPIs

SAP UMConnector

ScheduledTasks

OIMSAP ERP

Recon.

Prov.

Create/update

Sync against OIM users

SAP direct changes

SU01

SAP Central User Administration = Zentral Benutzerverwaltung ABAP


Oracle Identity Manager – SAP User Management Connector (May 2013)



• account creation or modification provisioning requests to either SAP ERP (ABAP) or SAP CUA/ZBV





• SAP CUA point of view = indirect provisioning

SAPBAPIs

SAP UMConnector

ScheduledTasks

OIMSAP CUA

Recon.

Prov.

SAP ERP

SAPBAPIs

Prov.

ABAP only !

SAP Central User Administration = Zentral Benutzerverwaltung ABAP


Oracle Identity Manager – SAP User Management Engine Connector



• Account creation or modification provisioning requests to SAP AS Java based application components, e.g. SAP NW Enterprise Portal





• Using official SAP Web Services for all SAP target provisioning/account operations

SAPSPML

Service(WebS)

SAP UMEConnector(WS Client)

ScheduledTasks

OIMSAP AS Java

Recon.

Prov.

Create/update

Sync against OIM users

SAP direct changes

Admin Console


Oracle Identity Manager – SAP HCM/HR Connector



• OIM Connector for SAP Employee Reconciliation (HCM Active Sync)

• Retrieves employee records in real-time from SAP HCM and creates identities for them in OIM

• Typical use case: New hire

• Supported deployments

• Full Reconciliation (all source system users)

• Incremental Reconciliation – tRFC (Only changes or new user records)

• SAP Intermediate Document based data exchange process / ASCII-based flat files (Application Link Enabling interface)*

SAPIDoc

ScheduledTasks

OIMSAP ECC/HCM

FullRecon.

Create + UpdateOIM users

HCMDepartment

PA30

+

Leading/authoritative source

*The connector supports all IDoc types that are associated with the HRMD_A message type

No support for SAP system account

provisioning or reconciliationfor SAP HCM

HCM profile

HCM profile

SAP JavaConnector

tRFC

Manual copy

into OIM DIR

Listener based

+Inc.Recon.


Oracle Identity Manager

with SAP BO Access Control

V10


Oracle Enterprise Governance SuiteRisk-based Certification and Segregation of Duties Analysis

Mainframe

DB

Identity Data Sources

Applications OIM + OIdA / AAccess CControls GGovernor (ESoD)

Roles Certification History

Entitlements Provisioning Events

Risk Aggregation

Resources Policy Violations

Low Risk User High Risk User

Bulk Certify Cert 360

Approve

RejectFocused

Sign-off

SoDs

Best Practice Libs for Oracle AppS

Operating System

SoD = Funktionstrennung ; OIdA = Oracle Identity Analytics Central Role Mgnt.


Bridging a business and a technology gap

Enterprise IT-Compliance


Functional overview : The four pillars of Access Control

SAP BO AC V10



• SAP specific SoD Invocation Library

• OIM SAP AC SIL Provider

• Web Services based communication

• OIM SAP AC Web Service Client

• Based on SAP official AC - WSDL input

• Used by the OIM SAP Connectors during „Provisioning“ operations for SoD checks

OIMSAP

BO AC

AC Web Service Client

SAPSIL P.

CustomSIL P.

OAACG*SIL P.

SoD Invocation Lib (SIL and Adapters)

SIL Provider

*OAACG = Oracle Application Access Controls Governor

OIM as Consumer

Oracle Identity Manager – Integration of the SAP SoD Engine

WSDL = Web Service Definition Language


Oracle Identity Manager – Integration of the SAP SoD Engine


• OIM SAP Connectors

• To be used as interface between OIM and SAP BusinessObjects Access Control

• Provisioning requests can be validated by the SAP official SoD engine

• Supported connector types for SoD checking

• OIM SAP User Management Connector

• OIM SAP User Management Engine ConnectorSAPSAP®® BO BOAC V10AC V10

ACAC-PC-RM-PC-RM

NW AS ABAPNW AS ABAP

AS ABAP UMAS ABAP UM

OIM

SAPSIL Provider

OIM SAP

UM Connector

ICF

Pre-configured invocation of SAP SIL Provider

SoDs

WebSWebS

OIM SAP

UME Connector

11 22


SAP BO AC V10OIM Scenario 01: IdM with SoD

Requestor (Clerk)Requestor (Clerk) Business line managerBusiness line manager IT departmentIT department

Risk Analysis / SoD Risk Analysis / SoD

Business approval Business approval ProvisioningProvisioning

New or New or Change request Change request

IT-ProvisioningIT-Provisioning

e.g. FI Managere.g. FI Manager

SAP SoD SAP SoD One One

workflowworkflow

Oracle IdM WFLOracle IdM WFL

SoD Risk Analysis onlySoD Risk Analysis only

Non-SAP SoD check

SAP specificSoD check


Conclusion


Identity Management Jump to a Modernized Identity Management Platform

Reduce costs and risks with a complete identity governance suite

Seamless application access from any device

Low risk, high value upgrades and consolidation

Empower and enable new digital identities

Scalable software architecture

Dedicated support of major ISV like, e.g. SAP ERP


Open Questions

Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Confidential – Oracle Internal28


Oracle Release Support


SAP User Management (ABAP) Connector Release 11.1.1.5.0


• Supported OIM Releases

• Oracle Identity Manager 11g Release 1 (11.1.1.5.6) or later


• Supported SAP JCo release

• SAP JCo 3.0.2 or later

• Supported SAP BO AC Releases:

• SAP BO AC V5.3

• SAP BO AC V10


SAP User Management Engine (Java) Connector Release 11.1.1


• Supported OIM Releases



• Supported SAP JCo release

• SAP JCo 3.0.2 or later

• Supported SAP BO AC Releases:

• SAP BO AC V5.3

• SAP BO AC V10

© 2013 SAP AG. All rights reserved.

© 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

Documents

1Copyright © 2012, Oracle and/or its affiliates. All