Solution in detail | Public

SAP Identity Management

Align identity management

with business processes
and the user lifecycle
Table 3

4
Quick facts

The challenges of manual identity

of contents management

6 Effective identity management:

A lifecycle approach

7 SAP Identity Management: Taking

a business-centered lifecycle
approach

12 Taking identity management to the

next level

2 | 12
Align identity management with business processes and the user lifecycle

Quick facts
Summary Solution
The SAP Identity Management component helps • Business-driven, compliant identity manage-
you align user lifecycle management with your ment for business processes running in cloud
organization’s key business processes running in and on-premise solutions
cloud and on-premise solutions. Now, business • User access rights assigned and maintained
managers can define role-based, compliant user across multiple systems
access rights and identity management across • Password self-service functionality and
enterprise applications – both SAP and third synchronization
party – while giving IT the centralized data, alerts, • Roles aligned with business processes rather
and reporting needed to maintain control and than technical directory structures
manage risk. • Reports based on current access and past
events
Objectives
• Reduce operational costs and minimize risk in Benefits
complex system landscapes • Lower costs and increased productivity due to
• Manage access to applications tight integration with your business processes
• Extend existing on-premise identity manage- – both in the cloud and on premise
ment solutions to the cloud • One central location for identity data storage,
• Improve compliance with local and global eliminating redundancies
regulations • Support for regulatory requirements, which
minimizes segregation-of-duties (SoD) risks

Learn more
For more information, contact your SAP representative
or visit us online.

3 | 12
Align identity management with business processes and the user lifecycle

The challenges of manual identity

management
Identity management has become a significant challenge for organizations
today. Users need fast, hassle-free access to a multitude of applications both on
premise and in the cloud. And IT must ensure that enterprise data and systems
are secure and that access to them is compliant with company policies and legal
regulations. Meeting these competing demands requires moving beyond manual,
time-consuming, and IT-centered identity management so you can operate
with agility, efficiency, and confidence.

If your organization is still manually managing the Identity management solutions can help by auto-
identities of employees, contractors, and customers mating manual tasks for IT staff, pushing certain
who need access to heterogeneous systems, you tasks to line-of-business managers and employees
likely face a number of challenges. Let’s take a closer (such as password updates) and tracking and
look at why – and explore how integrating identity reporting on who has access to what systems
management with business processes within and and data and when.
beyond your enterprise can help you address these
challenges. Evolving security risks
Manual, paper-based identity management
High operational costs and security risks processes also create security risks. For example,
Complex system landscapes require that your IT it’s not uncommon for employees who have
department maintain multiple sources of identity changed roles or have left an organization (either
data – for example, by entering data for each user, through retirement or termination) to have access
assigning user permissions for multiple systems, to certain systems and data longer than they
and maintaining user passwords for each system. should. Paper-based approval processes can
When IT administrators manually perform these complicate and slow the process of shutting
tasks, it can take longer to provision users of multiple down or adjusting user access, which can frustrate
systems, slow new employee onboarding, and delay employees. Identity management solutions can
their time to productivity. It also means that users are help by introducing standardized workflows and
dependent on IT help desk staff for password resets automating many processes related to the identity
and changes in access or permissions. This can drive lifecycle.
up help desk staffing requirements and costs.

4 | 12
Align identity management with business processes and the user lifecycle

Changing business consumption models

In today’s complex business environment, organi-
zations are increasingly extending their business
processes into the cloud. As new software con-
sumption models emerge, managing user access
to these cloud applications within and beyond
enterprise boundaries can become a challenge.
For example, you may have identity and access
management processes that were originally
defined for on-premise landscapes and don’t
necessarily work for cloud applications. Address-
ing this would mean reassessing requirements
based on changing business needs and then
determining how to manage users in the cloud.
Identity management solutions can help by pro-
tecting existing identity management structures,
provisioning relevant data to cloud applications,
and helping your organization build on what it
already has, rather than reinventing the wheel.

Increasing compliance requirements

One of the key factors driving the adoption of
identity management solutions is compliance
requirements. Numerous laws and industry-
specific regulations – for example, in healthcare or
banking – require that your organization be able to
report with certainty who had access to what system
resources and when. Identity management solutions
help you achieve compliance, enforce SoD policies,
provide audit trails, and prevent unauthorized
access.

5 | 12
Align identity management with business processes and the user lifecycle

Effective identity management:

A lifecycle approach
In addition, there’s a broader challenge of managing Consider this example: A purchasing manager is
identities across the hire-to-retire lifecycle of an authorized to issue orders to external vendors, for
employee – from the onboarding process to the example, to buy office supplies. To step in for a
termination of their employment contract. Without colleague on sick leave, this purchasing manager
an identity management solution that automates temporarily needs the authorization to create
tasks, supports employee self-service, and cen- vendors in the system. The employee could now
trally tracks access and permissions, things can get misuse this role, create a new fictitious vendor,
complicated quickly. The manual work required to and issue an order. To minimize the risk that comes
provision and manage user access in a compliant from such SoD violations, you must perform a
and auditable manner can become increasingly compliance check for all role assignments that
labor intensive, repetitious, and error prone. apply to critical business processes, such as ERP
system roles. Finally, when the employee leaves
When employees are hired, your organization gives your company, the access that this user has may
them certain permissions in a variety of systems. still not be revoked, perhaps even years later,
Later, an employee may receive a promotion or which presents obvious and ongoing security
change roles and receive new, additional permis- risks to your organization.
sions. Furthermore, you may need to grant other
temporary privileges for some year-end activities At each stage, you need to provide users access
or while an employee is covering for a colleague to the right set of applications according to their
on vacation. Thus, an employee typically tends to current role – no small task without a deeper
accrue privileges over time and often continues understanding of employee roles and responsi-
to have access that’s no longer required for their bilities and an automated way of managing this
current role. This is, of course, a security risk. But work across an evolving IT landscape.
it’s also a potential compliance violation. Adding
a new role might cause conflicting authorization
for the user.

SAP Identity Management shifts the responsibility

of identity management from the IT department to
each line of business – or more specifically, from
IT administrators to business process owners.

6 | 12
Align identity management with business processes and the user lifecycle

SAP Identity Management: Taking a

business-centered lifecycle approach
The SAP Identity Management component traditional identity management to support
simplifies and optimizes how your organization related processes such as password manage-
grants and manages user access to SAP and ment, self-service, and approvals workflows.
third-party applications to help ensure that Equally important, it shifts the responsibility of
this work is performed: identity management from the IT department to
• Securely, efficiently, and in a timely manner each line of business – or more specifically, from
• In alignment with your business processes IT administrators to business process owners
and roles who have a deep understanding of employee
• In accordance with audit and compliance roles and responsibilities.
requirements
The table provides an overview of the core
The component provides a central mechanism for capabilities of SAP Identity Management.
provisioning users and assigning them appropriate
business roles and permissions. It goes beyond

Key features and functions of SAP Identity Management

Business-driven identity Tightly integrated into your SAP business applications, the SAP Identity Management
management component offers a one-step approach to user administration for your SAP and
third-party software landscape – on premise and in the cloud.
Cloud connectivity You can extend your identity management processes into the cloud by connecting
SAP Identity Management to the Identity Provisioning service of SAP Cloud Identity
Services. This approach combines your tried-and-tested processes with the flexi-
bility and ease of use that comes with a cloud-based identity provisioning solution.
Reporting and auditing Critical for compliance, extensive auditing functionality enables you to produce
reports based on current access and past events. If questions come up, reports can
conclusively state whether the person in question had entitlements to particular
applications and associated features and functions. You can transparently maintain
changes to data, user access rights, and administrative permissions. Tight integration
with the SAP Access Control application and the SAP Cloud Identity Access
Governance offering allows for the effective mitigation of SoD risks and a compliant
user-provisioning process. In addition, privileged access management can be used
to meet more critical and sensitive access requirements.
Provisioning, workflow, and Business rules and policies drive assignment and maintenance of user access
approvals rights across multiple systems. You can quickly provision employees and business
partners, and changes and approvals are auditable.

7 | 12
Align identity management with business processes and the user lifecycle

Key features and functions of SAP Identity Management

Password management and The component supports self-service password reset and password synchronization
employee self-service across connected target systems, as well as the ability to perform self-service updates
of personal information. These functions help reduce the cost incurred by your help
desk in servicing password resets.
Roles and entitlements Roles align with business processes rather than technical directory structures.
Users are assigned roles and given certain privileges, called entitlements, that
enable access to various systems.

Integrated user provisioning Supporting heterogeneous IT landscapes

Functionally, SAP Identity Management supports SAP Identity Management enables you to stream-
user provisioning by offering one centralized place line the provisioning of users into applications (both
from which to manage users in SAP and third- SAP and third party), operating systems, file systems,
party applications, regardless of the individual and databases using an ever-expanding library of
data stores. This means that, for example, when built-in connectors that come with the component.
a phone number or e-mail address is changed You can also buy connectors from SAP partners or
in one system, it automatically updates across develop your own using an SAP-provided connector
relevant systems. development kit. The integration is based on open
communication standards that enable the integra-
You gain: tion of most applications, including Microsoft
• Tight integration with your company’s business Active Directory, Microsoft Exchange, IBM Lotus
processes Notes, and many others.
• Built-in connectivity with SAP Cloud Identity
Services for smooth compatibility and integration
of on-premise and cloud identity management
processes
• Integration between SAP Identity Management
and SAP Cloud Identity Services, which offers
comprehensive identity lifecycle management
capabilities in hybrid IT landscapes

8 | 12
Align identity management with business processes and the user lifecycle

Extending the identity lifecycle to the cloud

As shown in Figure 1, you can extend SAP Identity Management to the cloud by connecting to SAP Cloud
Identity Services. This option opens up numerous possibilities for designing hybrid scenarios for your
business processes.

SAP Business Technology Platform (SAP BTP)

End user
SAP Cloud Identity Services

SAML/OIDC SAML/OIDC Cloud

solutions
Application clients from SAP
Identity SCIM
Mobile or desktop Authentication
Identity
Provisioning
On-premise
solutions
SAML/OIDC from SAP
Authorizations
SAP Identity
Management Identity Authorization Cloud
Directory Management connector

X.509 certificate
for SAP GUI

X.509 certificate
for SAP GUI

SAP Secure Login SAP Cloud Identity Applications

Service for SAP GUI Access Governance on SAP BTP

Figure 1: SAP Identity Management extends to the cloud

Enabling business-driven identity management

Identity management solutions were originally developed to help IT organizations better manage users
across multiple applications. Essentially IT efficiency tools, they streamlined the process of user manage-
ment by providing a central mechanism to enable these processes.

9 | 12
Align identity management with business processes and the user lifecycle

Business process integration across your intelligent enterprise

You can realize even greater benefits by aligning user management functions more closely with the core
business processes that users access (see Figure 2). SAP Identity Management streamlines this alignment
through integration with SAP S/4HANA – the heart of your business where processes run – and plays an
important role in the integration aspect of an intelligent enterprise. When you integrate identity manage-
ment solutions with SAP S/4HANA, you connect identity management processes with business processes,
moving them away from the IT world and into the business world. For example, by connecting SAP Identity
Management with the SAP ERP Human Capital Management solution, you can automate identity manage-
ment processes across the hire-to-retire process, one of the key pillars of an intelligent enterprise. This
enables identity management across the employee lifecycle, from creating a new user in the system to job
changes and promotions and even the retirement of an employee or the termination of a user’s contract.

Figure 2: Core business processes that can be aligned with user management functions

Integration across intelligent enterprises is not limited to employee-related processes. For example:
• SAP Identity Management supports processes for business partners and customers, such as the
automated creation of users in the SAP Customer Relationship Management application and business
partners in the SAP Supplier Relationship Management application.
• Integration with SAP Cloud Identity Services allows for tight integration of user data coming from on-premise
applications with the cloud. It protects your existing investments and extends user lifecycle management
to the cloud.

10 | 12
Align identity management with business processes and the user lifecycle

Support for business roles By complementing identity management functional-

SAP Identity Management supports a powerful role ity with a governance, risk, and compliance solution
concept that helps improve business role definition for managing access control – such as SAP Cloud
and usage so you can reduce the overall number of Identity Access Governance or SAP Access Control
roles across your organization. Business roles, which – you can enable compliant identity management.
are defined as part of a business process, can be Specifically, you can help ensure that roles and
assigned to users within a given application. These authorizations assigned to a user don’t contain
business roles consist of one or more technical conflicting rights. As a result, you’re not only
roles, which are system specific and represent securing the identity management process but
access information or technical authorizations. also making it more compliant and auditable.
These include authorization roles such as those for
SAP software systems that are based on the ABAP SAP Identity Management offers compliant user
programming language or groups for Microsoft provisioning and reporting and audit functional-
Active Directory. By focusing on business processes ities. By integrating SAP Identity Management with
and business roles, SAP Identity Management SAP Cloud Identity Access Governance software
simplifies the creation of roles and authorizations and the SAP Access Control application, you can
by letting managers start with the business prevent SoD violations, such as when roles with
requirements they know best, with no need for conflicting permissions are assigned to a user, and
them to deal with the underlying IT complexity. put mitigating controls in place. Your organization
When you assign a business role to a user, technical can get and stay clean on the SoD front, as well as
roles for that business role and any role below it in retain control of access to applications in your
the hierarchy are assigned to the user. In addition, system landscape – from SAP S/4HANA to third-
workflow and provisioning are automatically party applications.
triggered.

Integration between SAP Identity Management and

SAP Cloud Identity Services offers comprehensive
identity lifecycle management capabilities in
hybrid IT landscapes.

11 | 12
Align identity management with business processes and the user lifecycle

Taking identity management

to the next level
As a business-oriented component, SAP Identity Perhaps most important, the component supports
Management shifts the responsibility for identity identity management across SAP software as well
management your from IT administrators to business as your heterogeneous and hybrid third-party
process owners – the people who understand landscape, including Lightweight Directory Access
employee roles and responsibilities best. For Protocol, third-party business applications, oper-
example, line managers can approve role assign- ating systems, e-mail systems, and databases.
ments rather than IT staff. At the same time, you can:
• Simplify processes related to identity And finally, by lowering total cost of ownership
management and increasing operational efficiency, SAP Identity
• Centralize identity management across Management helps you meet your organization’s
applications objectives of lowering operational costs, increasing
• Extend identity management into the cloud productivity, and improving compliance and audit-
• Free up IT resources by shifting responsibilities ability of processes related to user management in
to lines of business your organization.
• Improve compliance by giving identity manage-
ment responsibilities to those with a deeper
knowledge of the business and compliance
requirements
• Provide richer auditing and reporting
functionality
• Integrate with SAP governance, risk, and com-
pliance solutions to prevent SoD violations

Learn more
To learn more about SAP Identity Management and how it can help improve
your business, please contact your SAP representative or visit us online.

74467enUS (24/02) © 2024 SAP SE or an SAP affiliate company. All rights reserved. See Legal Notice on www.sap.com/legal-notice for use terms, disclaimers, disclosures, or restrictions related to this material.