Escolar Documentos
Profissional Documentos
Cultura Documentos
TechEd Vienna
Frank Buchholz
Security Product Manager, SAP AG
Jens Koster
Security Product Manager, SAP AG
TechEd Boston
Gerlinde Zibulski
Security Product Manager, SAP Labs LLC
Summary
Summary
Users can be
administrated in CUA central system
SAP release as of 4.6C
central SAP system
Automatic distribution
to client SAP systems
Local administration
still possible
(redistribution)
ALE ALE
No inconsistencies
Meta-
Application 1 Directory
Telephony
Operating
HR system
Application 2
LDAP
synchronization
Replication
As of 4.70 HR can be
connected directly to
the LDAP directory
RFC
ALE ALE
Enterprise Portal
with User Management
Engine (UME) CUA central system
Directory SAP release as of 6.10
LDAP
synchronization
Persistence
SAP J2EE Engine store
ALE ALE
SAP ABAP +
J2EE Engine
Enterprise Portal
with User Management
Engine (UME) CUA central system
SAP release as of 6.10
Persistence ALE
store ALE ALE
SAP
CUA client SAP ABAP +
J2EE Engine
Provisioning incl.
SPML integration*
Central User
Administration load employee Operating
data system
Provisioning
Password Management
Self-service
SAP Metadirectory
HR Audit
Non-SAP
applications
*SPML integration available as of SAP NetWeaver NW 2004s SPS5 und NW 2004 SPS14
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 14
SAP Identity Management
and Siemens Identity Management
Summary
…secure… Authentication
Single Sign On
Portal Roles
… define, what is
displayed in the
Portal
ABAP Java
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 18
ABAP Roles and Portal Roles: A Comparison
Scenario A:
The administrators uses the UME to maintain users and portal role assignments
Portal roles and related ABAP authorization roles are linked together
The system ensures that necessary ABAP authorization roles are assigned, too
Scenario B:
The administrators uses the CUA to maintain users and role assignments
Portal roles and related ABAP roles are linked together
The system ensures that necessary Portal roles are assigned, too
Portal Role 1
Maintenance
Enterprise Portal Transfer Role 5
Information to
CUA CUA
User 1
Maintenance Synchronize 3 Authorization 5
Directory
User Data Role Assignment
using transaction
CUA WP3R
Persistence
store LDAP
synchronization
Enterprise Portal
SAP ABAP +
J2EE Engine
6
Users get roles in
backend systems
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 22
Scenario B: Role Maintenance
Portal Role 1
Maintenance SAP backend Authorization
Role EQUALS Group in the Maintain auth. 2
role templates
Enterprise Portal !
CUA for the Portal
Persistence
store
User 1
SAP backend Authorization Maintenance
Role EQUALS Group in the
Enterprise Portal !
CUA
Persistence
store
Role 2
Enterprise Portal Assignment
ALE ALE
3
Users get groups
and indirect roles
in the Portal
Users get
authorization roles
SAP ABAP +
in the backend J2EE Engine
systems
Summary
Central
Person Company/
University
J2EE
Engine LDAP
Directory
ABAP
System ABAP J2EE
System Engine
SAP Web AS
ABAP+Java
Target Systems
for Provisioning
© SAP AG 2005, SAP TechEd ’05 / AGS101 / 27
Agenda
Summary
SAP will develop its own solution for the external user account
provisioning application (for SAP and non-SAP applications)
based on NetWeaver.
Î Public Web
www.sap.com
NetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdn
SAP Developer Network: www.sdn.sap.com Î SAP Netweaver Platform ÎSecurity
SAP Customer Services Network: www.sap.com/services/
Î Public Web
www.sap.com
NetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdn
SAP Developer Network: www.sdn.sap.com Î SAP Netweaver Platform ÎSecurity
SAP Customer Services Network: www.sap.com/services/
http://www.sdn.sap.com/
Q&A
security@sap.com
URL: http://service.sap.com/security
Thank You !
Users
Collection
Composite
Composite
of Users or User
User Group
Group User
User Group
Group
Authorizations Role
Role
Collection of ABAP
ABAP Role User Group UME Role
Authorizations ABAPRole
ABAP Role
Role User
UserGroup
User Group
Group UME
UMERole
UME Role
Role
J2EE
J2EE Security
Authorizations
Authorizations J2EESecurity
J2EE Security
Security Actions
Actions
Authorizations Authorizations
Authorizations Role
Role Actions
Actions
Role
Role
Method: Method:
change display
EJB
e.g. Java program to
display / maintain
something
JAR
EAR
User
User Group:
Group: User
User Group:
Group:
CHANGE
CHANGE DISPLAY
DISPLAY
User1 User2
Application1 Application2
Action1 Action3
Action2 Action4
Presentation Layer
Program flow with
Java ABAP authorization checks in
both ABAP and Java
Web Web
Dynpro Dynpro
recommended
Business Layer Connectivity between
ABAP and Java
Function
EJB
BAPI
JCo
Persistence
Business relevant
Open Open authority check based
SQL SQL on ABAP roles
Business relevant
Database Instance authority check based
on UME roles
ABAP Schema
Java Schema
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose
without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended
strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product
strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics,
links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited
to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of
these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of
hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web
pages.