Hitachi ID Identity and Access Management Suite includes multiple integrations with products from SAP AG. They include:
- Managing accounts and passwords on one or more SAP ECC or R/3 target systems.
- Managing entitlements on a SAP Portal (accounts/passwords often just come from AD or LDAP).
- Use of SAP HCM as a system of record, to drive automated user provisioning.
- Use of personal information about accounts, drawn from SAP HCM, to authenticate users in the context of a self-service or assisted password reset.
SAP ECC accounts, entitlements and passwords
Hitachi ID Identity and Access Management Suite can manage SAP ECC or R/3 passwords by invoking built-in BAPIs on the SAP server. These BAPIs are already present in the Hitachi ID Systems customer SAP environment, so there is no change control on the server. BAPIs are invoked using the remote function call (RFC) mechanism available from the SAP GUI client, which must be installed on the Hitachi ID Identity and Access Management Suite server.
Hitachi ID Identity and Access Management Suite validates SAP ECC or R/3 passwords by attempting to connect to the appropriate SAP landscape, system and client with the login ID and password typed by a user.
Hitachi ID Identity and Access Management Suite enumerates SAP ECC or R/3 accounts by listing the contents of the USR02 table. The administrative user assigned to Hitachi ID Identity and Access Management Suite must have the right to list the contents of this table.
Hitachi ID Identity and Access Management Suite administratively resets SAP ECC or R/3 passwords with the BAPI-USER-CHANGE and BAPI-USER-LOCK functions. The administrative user assigned to Hitachi ID Identity and Access Management Suite must have the right to call these BAPIs.
If Hitachi ID customer uses CUA (central user administration), updates made to a single SAP client using BAPI-USER-CHANGE, even if it is the master instance, will not automatically propagate to other SAP clients. This is a limitation of CUA, not of the Hitachi ID Identity and Access Management Suite SAP connector. To overcome this limitation of CUA, Hitachi ID Identity and Access Management Suite can either target every SAP client, automatically making multiple updates rather than one or else a Hitachi ID Identity and Access Management Suite BAPI can be installed on the master CUA instance, which triggers replication from there to other clients.
The Hitachi ID Identity and Access Management Suite SAP connector also supports load balancing. For example, it can distribute password validation and account updates across multiple SAP clients/systems, to reduce the load on any one of them.
Hitachi ID Identity and Access Management Suite creates, modifies and removes SAP ECC and SAP R/3 user objects using the BAPI-USER-CREATE, BAPI-USER-DELETE, BAPI-USER-GET-DETAIL and BAPI-USER-CHANGE functions.
When creating or modifying SAP ECC or R/3 user objects, the Hitachi ID Identity and Access Management Suite SAP connector can directly set:
- Identity attributes, such as ADDRESS, TITLE, DEPARTMENT, FUNCTION, etc. In all, the connector is able to read and write 100 different native SAP ECC or R/3 identity attributes, in addition to the basic authentication fields (ID, password, expiration date, etc.).
- All activity groups (i.e., manage membership of accounts in activity groups).
- All profiles (i.e., manage membership of accounts in profiles).
SAP HCM as a system of record
A connector is provided to extract a list of people and their attributes from SAP HR. This is typically used to drive automated (de)provisioning on other systems and applications.
This connector works using the RFC_READ_TABLE ABAP function which interrogates tables such as "ADDRESSEMPKEY" "BAPI_ADDRESSEMP_GETDETAIL", "BAPI_ADDRESSEMP_GETLIST", "BAPI_BASICPAY_GETDETAIL", "BAPI_BASICPAY_GETLIST", "BAPI_EMPLCOMM_GETDETAIL", "BAPI_EMPLCOMM_GETLIST", "BAPI_FAMILY_GETDETAIL", "BAPI_FAMILY_GETLIST", "BAPI_PERSDATA_GETDETAIL", "BAPI_PERSDATA_GETLIST", "BASICPAYEMPKEY", "FAMILYKEY", "INTCONTROLKEY" and "PERSONALDATAKEY." This data maps to a list of people and attributes for each of those people, which in turn feed into the automation process in Hitachi ID Identity Manager.
SAP GRC to validate policy
Identity Manager can integrate with SAP GRC to ensure that assigned entitlements do not violate internal control objectives. There are actually two methods to accomplish this -- one recommended by SAP and another recommended by Hitachi ID. Both methods are supported and each has its own advantages.
Identity Manager can submit requests to assign or revoke entitlements to SAP GRC, which evaluates its own policies, may execute workflows to implement compensating controls and will eventually either make the requested change or indicate that it was rejected.
This approach gives organizations maximum flexibility vis-a-vis GRC policies and business processes, but where requesters submit access requests into Identity Manager, they have limited visibility into the current status of access requests.
- Hitachi ID-recommended:
Identity Manager can submit requests to GRC to check whether a given access request would violate any policies. If not, then the access is assigned or revoked, immediately, on SAP ECC. If a policy violation would be triggered, then Identity Manager can use its own workflow to request an approved exception.
This approach is not quite as flexible as GRC for managing compensating controls and approved policy exceptions, but by embedding all workflows in the IAM system it presents a more friendly user experience to requesters and to most authorizers.
SAP HANA databases
SAP HANA is a database platform and as such is integrated with Hitachi ID Identity and Access Management Suite using the ODBC connector and a suitable SQL script. Note that HANA login credentials may likewise be externalized, for example to Kerberos or Security Assertions Markup Language (SAML) . In these cases, HANA-local passwords may not be required, though configurations with both HANA-local and HANA-external credentials are supported (by both HANA and Hitachi ID Identity and Access Management Suite).
Accounts are created by sending SQL commands to the database such as "CREATE USER userID PASSWORD newPW NO FORCE_FIRST_PASSWORD_CHANGE;". Similar commands are used to delete accounts, reset passwords, enable/disable accounts, etc.
There are multiple types of roles in SAP HANA, including standard database roles, HANA repository roles and privileges to the system, to database objects, to data models, to packages and to applications. In most cases, only SAP database and HANA repository roles are used, and these can be granted directly via the same ODBC/SQL method as above.
Some HANA systems may be configured with an LDAP integration,
in which case roles may be assigned in HANA by virtue of the
user being a member of LDAP groups. In this case, Hitachi ID Identity and Access Management Suite
can be configured to assign and revoke LDAP group memberships
rather than HANA-internal roles.