PART I of III: Advanced Authorization for SAP Global Deployments: September 20, 2011

© 2005-2011 NextLabs Inc.

Advanced Authorization for SAP Global Deployments

Part I:The SAP authorization toolbox and models for access control

Sandeep Chopra, Senior Product Mgr NextLabs, Inc.

© 2005-2011 NextLabs Inc. Slide 2

Agenda

Objective Review access control challenges of a global SAP deployment Describe a model for applying tools to address requirements Look at the some of tools in the authorization tool box

Presentation Anatomy of a Global Deployment Access Control Requirements and Challenges The Authorization Toolbox A Pragmatic Authorization Model An Authorization Decision Map The Next Step – Applied Authorization

Question and Answers


Suppliers

Anatomy of a Global Deployment

Customer

Regulatory Jurisdictions

Design Partners

Suppliers

ERP/PLM

IT Ops

Manufacturing

Engineering

Service

Engineering

Manufacturing

Manufacturing

TradeCompliance

Regional Compliance Jurisdictions Export Compliance Privacy Financial Reporting

Global Supply Chain Shared Supply Chain Management External Access Co-opetition Multi Level Supply Chain

External Access External Partner Collaboration Direct External Access

Shared IT Ops Administration Helpdesk Development

Global Shared Process Global versus Regional Functions Multi Line of Business Global Collaboration and Workflow


Advanced Authorization Challenges

CollaborationHow do I share data and functions to enable global collaboration?

How to I enable collaboration with external partners?

How do I do more business around the world?

How to I support systems 24/7 at the lowest cost?

SecurityHow do I limit access to data and functions for users in a specific region or LOB?

How do I protect my company IP from leaking outside the company?

How do ensure compliance with multiple global regulations?

How do I control privileged IT users?


Suppliers

Anatomy of a Global Deployment

Customer

Regulatory Jurisdictions

Design Partners

Suppliers

ERP/PLM

IT Ops

Manufacturing

Engineering

Service

Engineering

Manufacturing

Manufacturing

TradeCompliance

Regional Compliance Jurisdictions Export Compliance Privacy Financial Reporting

Global Supply Chain Shared Supply Chain Management External Access Co-opetition Multi Level Supply Chain

External Access External Partner Collaboration Direct External Access

Shared IT Ops Administration Helpdesk Development

Global Shared Process Global versus Regional Functions Multi Line of Business Global Collaboration and Workflow


Authorization Toolbox

Physical Segregation Multiple instances Client Partitions

RBAC SAP Authorization Concept

Context-based Access PLM Access Control Model (ACM)

Attribute Based Access Control (ABAC)

Custom Development


Physical Segregation

ERP 1OtherEmployees

Project ACME Team Members

SAP for Project ACME

Project ACMEPartners

SeparateAdministration, Storage,

IT Management


SAP Authorization Concept

Profile / Role Driven Role Based Access

Control (RBAC)

Functional Access Transactions, programs,

services

Data Access Up to 10 AND’ed

authorization fields e.g. Company, Plant


PLM Access Control Management (ACM)

RootContext

Line Org.Project

Org.

Depart-ment A

Project A Project BStandards

Internal Public

Context (e.g.: Standard Gear-Box)

ACL

Access controlOn individual objects

(optional & additional)

Access Control Lists Object Level Accesss Control

Access Control Contexts Groups Resources in multiple

context hierarchies Roles granted access to

contexts

Granular Data Authorization for PLM


Attribute Based Access Control (ABAC)

Subject Attributes User (e.g. Citizenship,

Company) Computer Application

Environment Attributes Time Connection Type Threat Level

Resource Attributes Data Values Classification Content

Subject

ResourceEnvironment


Custom Development Considerations

Criteria Comments

Core function Is Authorization Mgmt a core function of your business?

Functional Fit Is your application extensible to provide the functionality you need?

Roadmap Alignment Can you keep up with future requirements?

TCO Cost of development and ongoing maintenance

Scalability Will your customization scale with more users and more requirements?

Timing Can you keep up with the agility of your business?


Introducing the Authorization Framework

1. Separate Functional, Data and Governance Requirements

2. Develop Functional Authorization Map

3. Authorization Model Assessment for Data Entitlements

4. Develop Data Authorization Decision Map

5. Choose the right tools for each layer


Global Engineering Example

Business Authorizations

1. Design Engineers can create, edit, and view drawings and BOMs

2. Engineering Services can create ECOs

3. Engineering Managers and Engineering Services can View

Drawings, BOMs, and ECOs

4. Internal users can access all company product data

5. Suppliers can only see their own product data

6. Partner Co. can only work on Program X

7. External partner accounts must be approved by partner manager

8. Trade Compliance must classify all new materials


Business Authorization Dimensions

Functional AccessDetermine the actions a user can perform

Data AccessDetermine the data a user can see

GovernanceRules for access management

Functional Access

Dat

a A

cces

s

Gover

nanc

e


Authorization Layers


Functional Authorization Map

Functional Roles


Data Authorization: The Right Tool for the Right Job

RBAC is great for Functional access control

What is right for Data access control? Depends on Authorization Complexity and Volatility

Physical Segregation?Custom Engineering?RBAC?ACM?ABAC?


Complexity: Beware of Role Explosion

A measure of how complex the authorization rules are to meet the control objective

Different tools can handle different complexity

Common mistake is to use Roles to manage Data Entitlements “We have more roles than employees”

Global companies have multiple access variables, each with multiple values Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA) Multiple IP Control Agreements (e.g. PIEA, NDA) Multiple Applications and Systems (e.g. PLM, ERP, SharePoint)

Traditional role based access control (RBAC) explodes with rule complexity

ABAC is better for complex authorization situations compared to RBAC

Number of Access Variables

Re

qu

ired

Acc

ess

Ru

les


Volatility

A measure of how likely or often authorization rules will change

Environments where authorization rules change frequently Decentralized systems Companies active in M&A Frequent system upgrades

In high volatility environments, Physical Segregation is not flexible enough

Custom Dev is expensive as it drives up maintenance cost

In volatile environments, RBAC, ABAC systems do better


What are my Data Authorization options?

Data Authorization Decision Map


Mapping Requirements to Authorization Tools

Understanding Global Deployment Authorization Requirements and Challenges

Introduction to the Authorization Toolbox

Authorization Framework – Clear Separation of Authorization Dimensions

Authorization Decision Map


Next Step – Applied Authorization

Part 2: Export Compliance How to assess Complexity and

Volatility Export Control example

Part 3: Secure Partner Collaboration Secure collaboration example Enterprise Authorization

Considerations


Co-organized by NextLabs and SAPPolicy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer

and more secure internal and external collaboration

Ensure proper access to applications and data

Facts Locations

HQ: San Mateo, CANew York, NYHangzhou, PRCMalaysia

25+ Patent Portfolio Major go-to-market Partners:

IBM, SAP, Microsoft

“We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.”

- Keng Lim, Chairman and CEO

NextLabs Overview


Thank You!

Questions?Ruth Stephens: [email protected]

Part 2: SAP authorization model for Export Compliance

Sign-up: visit www.nextlabs.com

mailto:[email protected]

Technology

PART I of III: Advanced Authorization for SAP Global Deployments: September 20, 2011