Académique Documents
Professionnel Documents
Culture Documents
24.04.2008
Agenda
Summary
@ BT 2008
e.g. Order2Cash Identity virtualization and identity as service through standard interfaces HCM Integration
Data
e.g. on-boarding
HCM
Definition and rulebased assignment of meta roles Identity Mgmt. monitoring & Audit
Password Management
Legacy Legacy App. App.
Distribution of users and role assignments for SAP and non-SAP systems
MS MS Exchange Exchange Web Web App. App. Databases Databases Operating Operating Systems Systems
SAP FI ABAP
SAP Java
System Components
User/ Manager
Administrator Developer
Monitoring Front-End
Worflow Front-End
Management Console
Database
Database holds
Identity store Process configuration
Dispatcher Dispatcher
Event Agents
Detect changes in connected systems
Virtual Directory
Provides additional connectors @ BT 2008
Target systems
Source systems
Management Console
@ BT 2008
Monitoring
@ BT 2008
Agenda
Summary
@ BT 2008
Synchronization of 230.000 Identities from Corporate Directory into Active Directory Provisioning of personal and functional email accounts Additional attributes joined from import files Built-in delta mechanism reduces updates to Active Directory to the absolute minimum. Performance
Delta import once a day Duration 1.5h Full import once a month Duration ca. 5h
Corporate Directory
Files
Active Directory
Database
Source systems
Identity Center
Target systems
Benefits
Efficient Delta Mechanism Highly customizable connectors
@ BT 2008
Agenda
Summary
@ BT 2008
Consulting IdM project setup and definition Requirements analysis Detailed vendor selection
Longlist, RFI, Shortlist, POC
Implementation Design based on selected IdM-tool (MaXware IC / SAP NetWeaver IDM) Implementation
Data model IdM processses Provisioning interfaces to target systems IdM data synchronization
Establish standards for the definition of roles and entitlements Process optimization for IdM administration processes Prepare data protection concepts and works council agreements Quality assurance concept Data cleansing support
Project management Test Migration of existing accounts and entitlements Operations Change und incident management
@ BT 2008
Project goals Creation of a central identity repository for all non-customer identities accessing computing center applications Implementation of standardized administration processes for entitlements Creation of a central repository for entitlements Increasing data quality of identity and entitlement data Effective demonstration of SOXcompliance Delegation of administrative tasks Increase degree of automation Primary goals: Increase usability, security and audit capabilities Secondary goals: Cost reduction and ROI considerations
@ BT 2008
Tool selection RFI with >10 major IdM vendors Presentations and Proof of Concept
Criteria Support for non-standard applications Flexibility, high degree of customization possible Expected implementation effort Match with skills available internally Support for roles and delegated administration Traceability of system and user actions
Target System Types SAP ISP Test Accounts Building Access Secure VPN LDAP Active Directory Samba SSH Key Management / Key Distribution ARS Remedy Sun Access Manager
@ BT 2008
Nov. 2004 Requirements analysis Mai 2005 July 2005 Tool selection Design and start of implementation
June 2007 Release 1.5 Sept. 2007 Release 1.6 Jan. 2008 Release 1.7 April 2008 Release 1.8
@ BT 2008
Agenda
Summary
@ BT 2008
UseCases (1)
Identity Management
(Re-) Enter company OU change Location change Position change Sabaticals/maternity leave Leave company
active active
change location change company change organization change name change position
@ BT 2008
@ BT 2008
Create Person
@ BT 2008
Create Location
@ BT 2008
UseCases (2)
Location
OU
Company
Hans Mustermann
Account Management
Assign account (De-) Activate Account Delete Account Password management Permission VPN-Access Account Active Directory Permission AD-Group Employees-MUC Funktional Role Employee
Self-Service
@ BT 2008
Create Permissions
Creates permission within the IdM-system as well as in the target system
@ BT 2008
Assign/Revoke Permissions
Delegated administration for permission owners
@ BT 2008
UseCases (3)
Identity Management
Request
1. Approval Denial
?
@ BT 2008
Request Permissions
Users may request permissions for themselves or others. Approval process configurable for each permission. Approver roles: Line Manager Permission Owner Target System Owner HR
@ BT 2008
Approval
XXXXXXXX XXXXXXXX
@ BT 2008
Agenda
Summary
@ BT 2008
Lessons Learned
Implementation Expectations concerning adaptability were fulfilled Tool supports change and redesign very well in the course of extensions and additions Short implementation cycles achieved System behavior is transparent and follows a consistent paradigm Number of processes (approx. 150 processes, 1300 steps) makes system complex Framework developed on top of built-in functionality (Regression-) Testing indispensable
Processes Flexibility (data model, user interface, processes) brings the temptation of relaxing initial standards as the system evolves over time End user help crucial to reduce helpdesk call volume Complexity multiplies (user types x identity states x data sources) General issues Data cleansing and migration may take up to 50% of target system implementation effort Development, Integration and Production environments required to manage changes Pragmatic approach to the use of roles allows for sufficient degree of automation without complex role modeling processes
@ BT 2008
Summary
SAP NetWeaver Identity Management fulfilled the expectations regarding the speed and flexibility of a tool-box, but requires thorough design and planning for large deployments. Agile implementation possible Quick reaction to changed requirements High degree of flexibility concerning
Data model Process adaptation Front-end extension
Flexibility requires
Experienced IdM-developers and Designers Mature project and software development organization Comprehensive QA measures appropriate for IdM (i.e. automated regression tests)
@ BT 2008
Thank You
Andreas Mller Solutions Architect Global Professional Services BT (Germany) GmbH & Co. oHG Tel:+49 (0)69 3307-8074 andreas.mueller@bt.com