Professional Documents
Culture Documents
GSK - SAP IDM Implementation Strategy Paper V 5 0
GSK - SAP IDM Implementation Strategy Paper V 5 0
Approved By:
Approval Date:
Page | i
GlaxoSmithKline
IdM Scope Approach Document ver. 5.0
Title: SAP NetWeaver IdM Scope Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
24 May 2010 5.0 ii of xxvii
Related Documents/References
Document Name Location & File Version referred:
name
Level 3 IDM Implementation Project Plan v3.1
Page | ii
GlaxoSmithKline
IdM Scope Approach Document ver. 5.0
Title: SAP NetWeaver IdM Scope Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
24 May 2010 5.0 iii of xxvii
Page | iii
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
1 of 27
Table of Contents
1. PURPOSE...........................................................................................................................2
2. SCOPE................................................................................................................................2
3. CONSIDERATIONS..........................................................................................................2
4. SCOPE AND ARCHITECTURE FOR SAP NW IDM...................................................3
4.1. System Requirements – NW IdM Software..........................................................................3
4.2. System Requirements – NW IdM Hardware.........................................................................4
4.2.7. Identity Center servers.......................................................................................................................6
4.3. System Overview.......................................................................................................................6
4.3.1. Notes and Recommendations..........................................................................................................7
4.4. NetWeaver Identity Management 7.1 - Landscape.............................................................7
1.1. NetWeaver Identity Management 7.1 – Landscape Location..........................................8
1.2. Components to be Deployed................................................................................................11
1.2.1. The Virtual Directory Server:..........................................................................................................11
1.2.2. The Identity Center:...........................................................................................................................12
1.2.3. Runtime Components:......................................................................................................................12
1.2.4. Identity Management UI:..................................................................................................................12
1.2.5. Management Console:......................................................................................................................12
1.2.6. SAP Business Objects Access Control components are used in the following way:....12
1.2.7. Client Deployment Strategy............................................................................................................12
2. LEVEL 3 - NW IDM PLANNING...................................................................................13
2.1. IDM and Access Control Integration...................................................................................13
2.1.1. User Identity Center Workflows...........................................................................................14
2.2. NetWeaver Identity Management 7.1 Level 3 Planning...................................................15
2.2.1. Planned System Deployment Timeline........................................................................................16
2.2.2. Phase 1 - Planning and scope (04th – 21st May)..........................................................................16
2.2.3. Phase 2 – Foundation (17th May – 3rd July)..................................................................................16
2.2.3.1. Phase 2a - Resources(17th May – 13th June)...............................................................................17
2.2.3.2. Phase 2b - NW IdM Installation (SCS) – (14th – 30th June).......................................................17
2.2.4. Phase 3 - IdM Build - Sandbox (5th July – 20th August)............................................................17
2.2.6. Phase 3 - IdM Build - Development (1st – 30th September)..........................................................18
2.3. Resources..................................................................................................................................19
2.3.1. Resource – Overview........................................................................................................................20
2.3.2. Role and Responsibilities................................................................................................................20
Table of Figures
Figure 1 - Example of NW IdM Sizing.......................................................................................................... 4
Figure 2 - NW IdM - Identity Center Servers................................................................................................ 6
Figure 3 - NW IdM System Overview........................................................................................................... 7
Figure 4 – NetWeaver IdM Implementation Landscape: Wave 1 & Wave 2................................................8
Page | 1
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
2 of 27
1. PURPOSE
The purpose of this document is to provide an approach strategy for the implementation of SAP
NW IDM 7.1 in conjunction with the GRC AC 5.3 for the ERP (CERPs) Programme at Glaxo,
Smith & Kline (GSK). The CERPs Programme is in line with GSK’s strategic vision of deploying
common processes on a Common Technology. The NetWeaver Identity Management 7.1 will
be used initially for CERPs SAP user provisioning environments.
2. SCOPE
The scope of this deliverable is to define the requirements of planning, landscape infrastructure
and system location within the ERP CERPs programme framework in order to prepare for
implementation of a NetWeaver Identity Management 7.1 solution:
Architecture to be required
Integration points with LDAP
Project plan overview that reflects all activities to be performed, duration and milestones in
line with the Level 3 Plan
Required Resources
3. CONSIDERATIONS
b) The NW IdM implementation project plan submitted with the Approach Strategy will need
to be expanded to define further task detail in order to ensure monitoring of the project
implementation is effective.
c) Only three SAP NetWeaver Identity Management systems will be recommended for the
Project Landscape i.e. SAP Web AS 7.01 Sandbox, Non-Production & Production. It
is understood that this is outside of current GSK landscape policy but necessary to
ensure a smooth provisioning process where an IdM environment does not conform to
normal landscape strategy due to the fact that it is a provisioning system. Should more
Page | 2
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
3 of 27
NW IdM systems be enforced this would cause additional complex connectivity, which
would deviate from the purpose of implementing an IdM solution i.e. “to provide an
automated user self-service request environment with faster effective compliant control
approval process, automated provisioning, reduction of support desk issues and active
reporting to ensure the effective monitoring and control of user access and role
management”.
d) The NW IdM will only provision SAP environments initially. Non-SAP systems will
continue to be provisioned through the Virtual Provisioning product.
Essential Contents
All required activities and dependencies
– Installation Requirements
– Hardware & Software
NetWeaver Identity Management (NW IdM) Landscape
– Number of tiers
– NW IdM Location in NW 7.01 Landscape
– Backend systems in scope
– Connections
– Components to be deployed
Level 3 Planning
- Appendix A – Implementation Plan
Resources
– Define Resource requirements
– Roles and responsibilities
SAP NetWeaver Identity Management: Release 7.1 SPS 4 (latest support pack should
be downloaded at time of installation)
Page | 3
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
4 of 27
In addition, SPML patches must be deployed on the AS Java as described in SAP Note
1064236.
The provisioning framework for SAP systems provides templates for both AS ABAP and AS
Java systems.
Current ERP CERPs Programme hardware specs for IDM and GRC:
IdM Database: IdM Application: GRC Database: GRC
Application:
SAPS 1085 (+1085 SAPS 2170 SAPS 1085 (+1085 SAPS 2170
HA) HA)
RAM 8GB (+8GB RAM 12GB RAM 4GB (+4GB RAM 12GB
HA) HA)
Page | 4
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
5 of 27
It is understood that the NW IdM system will be on a separate Microsoft SQL Server for
Sandbox and then on Unix Keeping in line with best practice, it is strongly
recommended that the NW IdM system should not be installed on the same shared
server with the GRC AC 5.3 system, due to performance concerns, but rather the two
systems should be allocated their own LPAR environments within the technical server
landscape. The following provides further direction as to how the SBX, Dev, QA and
Production IDM 7.1 can be structured.
4.2.2. Sandbox System – SAP IDM 7.1
The Sandbox System for SAP IDM 7.1 can have all 4 components DB, MC, RT
and UI installed onto one Server either Microsoft or Unix and should have the
following minimum requirements:
2.22 Ghz
4 GB Memory
150 GB Disk Space
Assuming that the production system has high availability requirements, a single
point of failure must be avoided. Therefore, the components are clustered or
duplicated.
There are four main components of the system:
• Database (DB). The database is either a Microsoft SQL Server or Oracle
database. The system platform is any which is supported by the selected
database. There should be at least two physical servers in a cluster for this. The
Identity Center does not require a dedicated database server (unless sizing
requirements demand it), so you may be able to use existing database instances.
Please note the installation and configuration requirements for the database, as
found in the installation guides (SAP NetWeaver Identity Management Identity
Center: Installing the database (Microsoft SQL Server/Oracle)).
• User Interface (UI). This is the end-user and administrator front-end, which
runs on SAP NetWeaver AS Java. High availability is handled by SAP
NetWeaver. The Identity Center does not require a dedicated NetWeaver, so
existing instances may be used.
• Runtime Components (RT). For high availability reasons, there must be at
least two RT servers. See the installation guide for supported platforms (SAP
NetWeaver Identity Management Identity Center Installation overview).
Dedicated servers are not required, so you may be able to use existing servers
for this. The number of RT servers and their placement in the network depends
on the identity management topology and network topology.
• Management Console (MC). This is the developer/IT administrator console,
running on Microsoft Windows, using the Microsoft Management Console. There
will normally not be any high availability requirements on this component, which
Page | 5
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
6 of 27
can be installed on any Microsoft Windows server, and requires very little
resources. A dedicated server is not necessary.
4.2.4. Test / QA / DEV system
The test/QA and DEV system must contain the same components as the
production system, but high availability is not required, and also the performance
demands will be lower, so all components may be installed on the same
Microsoft Windows server. Or they can be installed on different systems, if that is
more convenient.
4.2.5. Synchronizing the configuration
It is assumed that all configuration changes are first tested on the test system,
and then transported to the production system. This is documented in the staging
document (SAP NetWeaver Identity Management Identity Center Implementation
Guide Staging environment).
4.2.6. Backup
As the Identity Center stores all configuration information in the database, this is the only
component which needs to be backed up.
Please see the backup and restore procedures for the relevant database for details on
these operations.
4.2.7. Identity Center servers
In the description of the system landscapes, the following names are used to identify the
different servers/components of the Identity Center.
SAP NetWeaver AS Java (with Portal roles, UME roles Replicated from LDAP:
Portal) UME users and UME
groups
Provisioned from IC: Role
assignments
SAP NetWeaver AS ABAP ABAP roles and profiles Users and role assignments
Figure 3 - NW IdM System Overview
In this use case, the corporate LDAP directory is the leading system for maintaining
identities i.e Sun One LDAP. If you maintain user master records locally in the target
system after performing the initial load into the Identity Center, these changes are
not reflected in the identity Center and are not included in the provisioning process.
(Note: Local changes to other attributes with a different source system, for example,
email addresses where the source system is a mail server, or changes to role or role
assignments can be provisioned back to the corresponding source system).
Assign the business roles to identities in the Identity Center according to the role
model. The meaning of the business roles are then mapped to the corresponding
privileges and the corresponding user role assignments are provisioned to the target
systems.
This use case shows how to set up identity management for the portal and AS Java
system with one back-end AS ABAP system. You can use the same concepts to set
up provisioning to further AS Java and AS ABAP systems. You can also provision to
non-SAP systems.
BW AS Java
As Both the GRC and IdM environments will be working full-time. IdM will be handling requests
on a continual basis and then provisioning on a continual basis. When the Risk Analysis is not
Page | 8
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
9 of 27
being called during approval of these requests it will be used independently by users i.e.
Business Owners, Security & Authorisation, Role changes & generation, etc. In addition, GRC
will be doing backend sync reports and jobs with target systems. Independently, IdM will also
be doing backend sync on roles and users. Peak for the backend jobs would be in the off-peak
times or at the weekend, but both systems will be functioning full-time. Therefore, it is always
suggested as best practise for the GRC to be located as a standalone, as the risk analysis
reporting does tend to pull on performances.
In the above planned ERP implementation landscape, it is planned for both the GRC and IdM
Production environments to be situated on separate LPARs, this is an acceptable strategy.
The Non-Production systems for GRC and IdM will be on a shared environment, which should
not be an issue provided correct virtual memory allocation is set.
As both the GRC and IDM systems do not have any impact on financial data or interfere with
regular compliancy reporting, there is no requirement to have GRC or IDM instances across the
full planned SAP ERP CERPs landscape. Therefore, it is suggested that only three instances
of GRC and IDM is required, as set out in figure 5 above, although this should be confirmed with
GSK Compliancy division:
IDM
1 x Sandbox (SBX) – to be utilised for initial installation and testing
1 x Development (DEV) – to be utilised for connectivity and provisioning to DEV and QA
environments (if required)
1 x Quality (QA) – to be utilised for testing
1 x Production (PRD) – to be utilised as the main client for generation of user requests,
approvals and provisioning to SAP Production and Non-Production environments
GRC
1 x Sandbox (SBX) – to be utilised for initial installation, design of workflows and testing
1 x Development (DEV) – to be utilised for connectivity to DEV and QA environments for Risk
Analysis reporting, Simulation and Role Management (if required)
1 x Quality (QA) – to be utilised for Testing
1 x Production (PRD) – to be utilised as the main client for provisioning to SAP Production and
Non-Production environments
(Note: GRC SPM and ERM in regards further planning after WAVE 1:
As SuperUser Privilege Management (ex FireFighter) will continue to be used in the backend
systems, the relevant GRC module will still be required to be installed on all backend
environments. The difference with GRC AC 5.3 from previous versions is that it allows for a
Central Console for SPM therefore allowing SPM (FireFighter) reports to be run and collated
from GRC AC 5.3 system (providing central repository of reports and simpler audit
requirements) – therefore there is no additional requirement for GRC systems in so far as this
aspect is concerned. SPM (FireFighter) reports can still be run individually via GUI directly in
the backend systems if required, as well as utilising the Java graphic frontend of GRC AC 5.3
for Audit and management requirement on the GRC DEV and PRD systems).
Once again there is no need to make allowance for additional GRC systems, as ERM is run
solely from the GRC DEV system as all new or changed roles would be generated to the
backend DEV systems, and then transgressed through to the QA systems through the normal
SAP transport framework if required. Once again the GRC ERM would do the generation of
new or changed roles through a role approval workflow via a request. No roles are ever
created, changed and provisioned directly into a PRD environment. The roles on approval
would be created/ changed in the DEV system environments and then transgressed through the
normal transport and QA testing strategy. Therefore, ERM is not installed on the GRC PRD
system, as it is not advised to allow for direct generation of roles on any PRD environment.
SAP is the strategic application platform for ERP Programme and the following SAP business
applications will be deployed as part of CERPS.
SAP ECC (ABAP)
SAP BW (ABAP & Java)
SAP SRM (ABAP) including SRM-MDM Catalogue
SAP SCM (ABAL & Java) including SAP LiveCache
SAP PI (Dual)
SAP IdM (Java)
SAP GRC (Java)
SAP TREX (Standalone Engine)
SAP is deployed on SAP’s Web Application Server platform which can be of type ABAP, Java
and/or Dual Stacks (ABAP/Java combined) and this is indicated above for each of the SAP
application in scope of CERPS.
Page | 10
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
11 of 27
Page | 11
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
12 of 27
Deals with all connection to/from SBOP Access Control through the web service API
exposed by SBOP Access Control.
The Runtime Components (dispatchers, runtime engines and event agents) act as
local or remote agents for the Identity Center and are responsible for processing both
provisioning and synchronization tasks. They are also responsible for performing
reconciliation and bootstrapping. Event agents can be configured to take action
based on changes in different types of repositories such as directory servers,
message queues or others. This mechanism is optional and its only purpose is to
initiate synchronization based on changes in repositories in addition to the scheduled
operations.
1.2.6. SAP Business Objects Access Control components are used in the
following way:
Compliant User Provisioning (CUP):
Provides web services for compliance checks, status checks, etc.
Workflow for risk analysis and mitigating controls
Risk Analysis and Remediation (RAR):
Provides risk analysis services to detect SOD violations and critical permissions
CUP-RAR communication via internal web services
The SAP client concept is only applicable to SAP applications which are deployed on the
SAP Web AS ABAP stack or dual stack of ABAP/Java in the same instance. The SAP
applications which are deployed with SAP Web AS ABAP or SAP Web AS Dual Stack in
the CERPS landscape which NW IDM will be connecting are as followed.
Page | 12
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
13 of 27
SAP ECC
SAP SRM
SAP SCM
SAP BW
ERP Portal
SAP PI
SAP Solution Manager
Web Dispatcher
GRC AC
NWDI (?)
TREX (?)
Approval workflow
- Approval workflows would be conducted in the NW IDM system with the
exception that when a Risk Analysis is run and an SoD issue arises that the IDM
Approver would need to log in directly to the GRC AC CUP environment to
assign mitigation. The IDM request on mitigation assignment would then be
passed back to NW IDM for provisioning to respective user.
(Note: Should there be no available mitigation control in RAR then the request
would need to be either put on “hold” within CUP or Approver reject the Request
Page | 13
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
14 of 27
and a new mitigation control is then defined and created in the GRC AC RAR
module in relation to the new risk issue encountered)
.
- Need to consider user notifications from AC and/or IdM when rejecting request
at SoD mitigation stage of workflow as NW IdM does not have a web service
connectivity with GRC AC for this functionality.
Risk analysis
- The risk analysis web service through GRC RAR does not support risk
simulation. Risk simulation can only be performed directly in AC 5.3 RAR
module. (When provisioning new users, the request has to be submitted to AC
for risk analysis. IdM can retrieve the result by polling the risk analysis web
service with Request ID).
- Initially all new users will be created in the Sun One LDAP. Only SAP user
change requests will be processed and provisioned through NW IdM. Requests
for provisioning to non-SAP instances will be provided by Virtualization
Provisioning (VP) powered by CA IdM. It is envisaged that NW IdM will handle
requisition and provisioning of all SAP & Non-SAP in the future and that VP
would be decommissioned. When provisioning existing users, risk analysis can
be called by IdM.
Page | 14
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
15 of 27
You can create Web-based tasks for interactive identity management operations
(request, approval, etc.), but rule definitions that have no interaction are also defined
in the workflow.
The workflows can either be triggered by a Web interface task or by an “event task”
that recognizes changes.
The definition of the rule logic is highly flexible. This includes sequential, parallel,
conditional, and approval operations.
As it is not envisaged to connect with the GSK HCM environment, all workflows in
the Level 3 template with be triggered by a web interface i.e. generates/ submitted
request through the SAP portal.
Page | 15
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
16 of 27
Page | 16
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
17 of 27
Download components
Install components
Perform initial configuration
Configuration of Sandbox:
- Configure Virtual Directory Server
- Configure Identity Center
- Configure Runtime components
- Configure Identity management UI
- Configure Management Console
- Configure Business Objects Access Control components
- Setup connectors in the Test (Sandbox) and Development system
- Configure IdM and GRC AC web services
- Test backend system connectivity and web services
- Setup individual provisioning frameworks in both NW IdM and GRC
AC CUP
- Setup and configure User/ Role Requests structure and process
Workflows:
- Setup up approval workflows and other processes – NW IdM and
GRC AC CUP
- Setup up SoD exception and mitigation workflows in GRC AC Cup
- Import sample users and roles
- Design role mapping of default and template roles in user request
- Implement authorization concept
- Setup workflow reporting
Page | 17
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
18 of 27
Configuration of DEV:
- Configure Virtual Directory Server
- Configure Identity Center
- Configure Runtime components
- Configure Identity management UI
- Configure Management Console
- Configure Business Objects Access Control components
- Setup connectors in the (DEV) Development system
- Configure IdM and GRC AC web services
- Test backend system connectivity and web services
- Setup individual provisioning frameworks in both NW IdM and GRC
AC CUP
- Setup and configure User/ Role Requests structure and process
Workflows:
- Setup up approval workflows and other processes – NW IdM and
GRC AC CUP
- Setup up SoD exception and mitigation workflows in GRC AC Cup
- Import sample users and roles
- Design role mapping of default and template roles in user request
- Implement authorization concept
- Setup workflow reporting
Setup and run initial loads in development / test system(s)
Perform data cleansing
Run and test approval workflows with SoD exception rule
Run and test initial provisioning in Test and Dev systems
Setup regular backend batch sync and custom jobs
Setup regular and compliance reporting
2.2.8. Phase 5 - Wave 1 Master Data Load ( 20th Sept – 22nd Oct)
LDAP integration
Semi-Automated Provisioning SAP Non-Production
GRC Integration
User Data upload – 2,500
Leavers process
2.2.9. Phase 6 - IdM Test Stage – Wave 1 (25th Oct – 17th Nov)
2.3. Resources
Page | 19
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
20 of 27
Figure 11: Updated Resource Review with IdM requirement for Level 3 Planning
Role Responsibilities
GRC Functional Functional implementation of GRC AC 5.3 systems
Consultant
Configuration of GRC AC 5.3 components (RAR, SPM,
ERM, CUP)
Assist IdM Consultant in designing SoD exception
workflow in CUP
Quality Assurance
Documentation
Documenting of Issue Log and Resolutions
Page | 20
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
21 of 27
Page | 21
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
22 of 27
Page | 22
GlaxoSmithKline
Strategy and Approach Document
Title: SAP NetWeaver IDM Strategy and Approach for ERP (CERPs) Programme
Issued date Guidance Note No Version Parent GSOP(s) Page Number
23 of 27
Glossary of Terms
NW IDM – NetWeaver Identity Management
GRC – Governance, Risk and Compliance (Business Software Area in SAP AG)
CUP – Compliant User Provisioning
AC 5.3 – Access Control v. 5.3
SOD – Segregation of Duty
ERM – Enterprises Role Management
SPM – GRC AC 5.3 SuperUser Privilege Management
Page | 23