Upload
nextlabs-inc
View
95
Download
1
Tags:
Embed Size (px)
Citation preview
© 2005-2011 NextLabs Inc.
Advanced Authorization for SAP Global Deployments
Part I:The SAP authorization toolbox and models for access control
Sandeep Chopra, Senior Product Mgr NextLabs, Inc.
© 2005-2011 NextLabs Inc. Slide 2
Agenda
Objective Review access control challenges of a global SAP deployment Describe a model for applying tools to address requirements Look at the some of tools in the authorization tool box
Presentation Anatomy of a Global Deployment Access Control Requirements and Challenges The Authorization Toolbox A Pragmatic Authorization Model An Authorization Decision Map The Next Step – Applied Authorization
Question and Answers
© 2005-2011 NextLabs Inc. Slide 3
Suppliers
Anatomy of a Global Deployment
Customer
Regulatory Jurisdictions
Design Partners
Suppliers
ERP/PLM
IT Ops
Manufacturing
Engineering
Service
Engineering
Manufacturing
Manufacturing
TradeCompliance
Regional Compliance Jurisdictions Export Compliance Privacy Financial Reporting
Global Supply Chain Shared Supply Chain Management External Access Co-opetition Multi Level Supply Chain
External Access External Partner Collaboration Direct External Access
Shared IT Ops Administration Helpdesk Development
Global Shared Process Global versus Regional Functions Multi Line of Business Global Collaboration and Workflow
© 2005-2011 NextLabs Inc. Slide 4
Advanced Authorization Challenges
CollaborationHow do I share data and functions to enable global collaboration?
How to I enable collaboration with external partners?
How do I do more business around the world?
How to I support systems 24/7 at the lowest cost?
SecurityHow do I limit access to data and functions for users in a specific region or LOB?
How do I protect my company IP from leaking outside the company?
How do ensure compliance with multiple global regulations?
How do I control privileged IT users?
© 2005-2011 NextLabs Inc. Slide 5
Suppliers
Anatomy of a Global Deployment
Customer
Regulatory Jurisdictions
Design Partners
Suppliers
ERP/PLM
IT Ops
Manufacturing
Engineering
Service
Engineering
Manufacturing
Manufacturing
TradeCompliance
Regional Compliance Jurisdictions Export Compliance Privacy Financial Reporting
Global Supply Chain Shared Supply Chain Management External Access Co-opetition Multi Level Supply Chain
External Access External Partner Collaboration Direct External Access
Shared IT Ops Administration Helpdesk Development
Global Shared Process Global versus Regional Functions Multi Line of Business Global Collaboration and Workflow
© 2005-2011 NextLabs Inc. Slide 6
Authorization Toolbox
Physical Segregation Multiple instances Client Partitions
RBAC SAP Authorization Concept
Context-based Access PLM Access Control Model (ACM)
Attribute Based Access Control (ABAC)
Custom Development
© 2005-2011 NextLabs Inc. Slide 7
Physical Segregation
ERP 1OtherEmployees
Project ACME Team Members
SAP for Project ACME
Project ACMEPartners
SeparateAdministration, Storage,
IT Management
© 2005-2011 NextLabs Inc. Slide 8
SAP Authorization Concept
Profile / Role Driven Role Based Access
Control (RBAC)
Functional Access Transactions, programs,
services
Data Access Up to 10 AND’ed
authorization fields e.g. Company, Plant
© 2005-2011 NextLabs Inc. Slide 9
PLM Access Control Management (ACM)
RootContext
Line Org.Project
Org.
Depart-ment A
Project A Project BStandards
Internal Public
Context (e.g.: Standard Gear-Box)
ACL
Access controlOn individual objects
(optional & additional)
Access Control Lists Object Level Accesss Control
Access Control Contexts Groups Resources in multiple
context hierarchies Roles granted access to
contexts
Granular Data Authorization for PLM
© 2005-2011 NextLabs Inc. Slide 10
Attribute Based Access Control (ABAC)
Subject Attributes User (e.g. Citizenship,
Company) Computer Application
Environment Attributes Time Connection Type Threat Level
Resource Attributes Data Values Classification Content
Subject
ResourceEnvironment
© 2005-2011 NextLabs Inc. Slide 11
Custom Development Considerations
Criteria Comments
Core function Is Authorization Mgmt a core function of your business?
Functional Fit Is your application extensible to provide the functionality you need?
Roadmap Alignment Can you keep up with future requirements?
TCO Cost of development and ongoing maintenance
Scalability Will your customization scale with more users and more requirements?
Timing Can you keep up with the agility of your business?
© 2005-2011 NextLabs Inc. Slide 12
Introducing the Authorization Framework
1. Separate Functional, Data and Governance Requirements
2. Develop Functional Authorization Map
3. Authorization Model Assessment for Data Entitlements
4. Develop Data Authorization Decision Map
5. Choose the right tools for each layer
© 2005-2011 NextLabs Inc. Slide 13
Global Engineering Example
Business Authorizations
1. Design Engineers can create, edit, and view drawings and BOMs
2. Engineering Services can create ECOs
3. Engineering Managers and Engineering Services can View
Drawings, BOMs, and ECOs
4. Internal users can access all company product data
5. Suppliers can only see their own product data
6. Partner Co. can only work on Program X
7. External partner accounts must be approved by partner manager
8. Trade Compliance must classify all new materials
© 2005-2011 NextLabs Inc. Slide 14
Business Authorization Dimensions
Functional AccessDetermine the actions a user can perform
Data AccessDetermine the data a user can see
GovernanceRules for access management
Functional Access
Dat
a A
cces
s
Gover
nanc
e
© 2005-2011 NextLabs Inc. Slide 17
Data Authorization: The Right Tool for the Right Job
RBAC is great for Functional access control
What is right for Data access control? Depends on Authorization Complexity and Volatility
Physical Segregation?Custom Engineering?RBAC?ACM?ABAC?
© 2005-2011 NextLabs Inc. Slide 18
Complexity: Beware of Role Explosion
A measure of how complex the authorization rules are to meet the control objective
Different tools can handle different complexity
Common mistake is to use Roles to manage Data Entitlements “We have more roles than employees”
Global companies have multiple access variables, each with multiple values Multiple Export Jurisdictions (e.g. ITAR, EAR, BAFA) Multiple IP Control Agreements (e.g. PIEA, NDA) Multiple Applications and Systems (e.g. PLM, ERP, SharePoint)
Traditional role based access control (RBAC) explodes with rule complexity
ABAC is better for complex authorization situations compared to RBAC
Number of Access Variables
Re
qu
ired
Acc
ess
Ru
les
© 2005-2011 NextLabs Inc. Slide 19
Volatility
A measure of how likely or often authorization rules will change
Environments where authorization rules change frequently Decentralized systems Companies active in M&A Frequent system upgrades
In high volatility environments, Physical Segregation is not flexible enough
Custom Dev is expensive as it drives up maintenance cost
In volatile environments, RBAC, ABAC systems do better
© 2005-2011 NextLabs Inc. Slide 20
What are my Data Authorization options?
Data Authorization Decision Map
© 2005-2011 NextLabs Inc. Slide 21
Mapping Requirements to Authorization Tools
Understanding Global Deployment Authorization Requirements and Challenges
Introduction to the Authorization Toolbox
Authorization Framework – Clear Separation of Authorization Dimensions
Authorization Decision Map
© 2005-2011 NextLabs Inc. Slide 22
Next Step – Applied Authorization
Part 2: Export Compliance How to assess Complexity and
Volatility Export Control example
Part 3: Secure Partner Collaboration Secure collaboration example Enterprise Authorization
Considerations
© 2005-2011 NextLabs Inc. Slide 23
Co-organized by NextLabs and SAPPolicy-driven, information risk management software for Global 5000 enterprises. Help companies achieve safer
and more secure internal and external collaboration
Ensure proper access to applications and data
Facts Locations
HQ: San Mateo, CANew York, NYHangzhou, PRCMalaysia
25+ Patent Portfolio Major go-to-market Partners:
IBM, SAP, Microsoft
“We allow companies to preserve confidentiality, prevent data loss and ensure compliance across more channels and more points with a single unified solution with unmatched user acceptance and total cost of ownership.”
- Keng Lim, Chairman and CEO
NextLabs Overview
© 2005-2011 NextLabs Inc. Slide 24
Thank You!
Questions?Ruth Stephens: [email protected]
Part 2: SAP authorization model for Export Compliance
Sign-up: visit www.nextlabs.com