The future of SAP GRC

There has been quite a bit of  discussion about the potential futures of SAP IDM and SAP GRC. SAP has just started a survey so that they can get customer input. I would encourage all customers using or considering these products to take the poll.

I've worked with the integration between the two products several times now, and I can honestly say that I have never achieved the results that I wanted. As I've thought about the issues that have kept me from getting what I (and of course, my clients) want, it all seems to come down to the architecture.

The way SAP would have it, GRC is the brains, VDS the nervous system, and IDM is the muscle.  IDM workflow does all the work using the various frameworks (Provisioning, Exchange, GRC, Lotus Notes, etc.) while it checks with GRC via VDS to tell it what to do.

The problem as I see it is that there are:

• Too many moving parts -  IDM, VDS via WebServices to GRC, back to IDM
• Not enough information that passes back from GRC - We don't see why things are rejected and it's not clear what is happening.
• A lack of ways that conflicts can be addressed from IDM - This means that the "Security Desk" needs to get involved so they can fix the issue.

So how should this be addressed?  I think through either a tighter integration that is more direct and thicker, that is one where more information is passed, so that IDM becomes the "face" of GRC allowing for mitigation and remediation activities.  However I do not know that the current SAP architecture really supports this. therefore I think it makes more sense for IDM to "consume" GRC and make the GRC functionality part of IDM.

IDM already has a very basic concept of Segregation of Duties through Role Mutual Exclusion functionality.  Having logic that determines what should be "Mutually Excluded" from GRC type functionality makes sense.

However as SAP Roles map to IDM Privileges it would also be necessary for this concept to be extended to the IDM Privilege level.

Finally this new functionality would need to include the ability to implement periodic entitlement reviews (sometimes referred to as attestation or certification) Since in a typical SAP Landscape implementation IDM is connected to HCM with Manager and Organizational properties already defined, IDM is in an excellent position to use it's Presentation Layer, Notifications and Identity Store Database to support this.

This just my opinion and I have registered it via the survey posted above.  Go register yours!

Using VDS to Promote Efficiency

Hi there.  I know it's been a while since I posted here, but it's not because I'm not working on NetWeaver IDM or writing.  I've been doing a lot of the former and a bit of the latter.  In order to help promote the growth of a NW IDM technical knowledge base, I've been posting most of my IDM specific things on the SAP Community Network Blog.  I'll still be posting here from time to time, but it will more likely be architectural or opinion related pieces about IDM.

To that point I'd like to talk about the seldom discussed Virtual Directory Server.  I've always loved VDS and it's MaXware predecessor, MVD. There's just so much this product can do. While most of the SAP world is familiar with the Virtual Directory as a Web Services proxy for GRC or use with HCM, it is so powerful and flexible that it can do everything from provisioning to authorization and authentication management, to representing data sources in all kinds of different ways.

That's one of the things I'd like to talk about today.  Ask most Directory Services administrators about a recommended architecture and they will tell you straight out, "flat, as flat as possible."  However there are a number of reasons that this tends not to happen.

So how do we deal with this.  Simple, via the Virtual Directory Server.  Set up the flat structures that the administrators want, then use VDS to  represent the directory with different views, deep organized by geography  department, types of equipment, whatever.  Present the displayname and other attributes as the different divisions request.  Create separate customer facing views of your Identity Data.

Also don't be limited by only using Directory Services information for your Virtual View of data, use the Identity Store, UME and other sources separately or joined together to create your new interface.  Information on this can be found here. The advantage here is that you can create a virtually (if you'll pardon the pun) unlimited number of data representations. Now go forth and create Virtual Directories make your Identity Management group, the "Can do!" group that provides everyone the flexibility that your external customers need while providing the optimal efficiency that the back office wants to deliver.

The Importance of the OSS Note

One of the things I've been hearing (and experiencing) lately is that there are a lot of questions about how SAP IDM works.  Sometimes it's a functionality question, sometimes it's an enhancement request, other times it's a bug report.

Taking a look on the SAP IDM SDN forum, one can see several instances of all of these issues. However, some feel that the actual issues are never recognized by SAP.  This leads to feelings of frustration and that IDM is too complicated.

There's actually a pretty simple resolution to this.  When you have a problem, log an OSS note, that's what they are there for.  Too often, we bolt right to the forums to get answers, and that's not a bad idea at all, however if the issue is significant enough, we need to inform SAP formally.

There's a few long term benefits to this as well:

1. OSS Notes gives SAP Support the opportunity to learn what we are doing in the field and what they should expect to see.
2. SAP Product management gets some metrics to see what needs to be improved in the product.
3. The "institutional" knowledge grows which has results in the production better wiki entries, SAP Notes and overall documentation.
4. It is much easier to escalate an issue with your SAP account manager if you have an OSS number.

Of course, this also raises some responsibilties on SAP's part:

1. Support responses must be timely! I've heard of some significant delays in getting even preliminary answers.
2. Speaking of preliminary answers, first level support needs to be able to do more than simply take error codes and logs.  We need some level of support.
3. There must not be an automatic response of "we cannot support you, you have made customizations" For Pity's sake, the system was designed to be configurable and everyone knows the Provisioning framework will get some word done for it, that's why it's called a framework!

With a little bit of patience, understanding and work I think the system will work just fine. So please, take the time to document your issues and submit those OSS notes!

TechEd 2012 Wrapup

Quicker than I thought possible, another TechEd has come and gone. It's been a fantastic TechEd this year.

From the SAP Identity Management perspective we saw some exciting new things this year:

• NW IDM Service Pack 6 is scheduled to be released in the next couple of weeks with some nice new features.
• Longer term enhancements will see the end of the dreaded MMC console! I don't think we'll see this in the next couple of enhancements, but I think we'll see it by the end of 2013!
• Virtual Directory received a renewed focus with sessions not only on standard SAP use cases but also in dealing with Identity Services.
• SAP SSO got some nice attention as well.  I'd expect that next year we'll have some hands-on sessions as well.

One thing that I did notice this year was a near complete lack of attention to GRC.  This has me wondering many things.  I don't think that GRC is going away, as the compliance space is very hot right now with all the big companies (IBM, EMC, Oracle, CA, etc.) involved and some other small players (SailPoint, Aveksa) are growing at a rapid pace.

I've not been able to get any confirmation from anyone at SAP, but if I put my thinking cap on, I would say that we're looking at the beginning of a re-alignment of how GRC is being included in workflow. Stay tuned!

SAP TechEd Days 2 and 3

As usual, events here at TechEd have caught up with me and I missed a post. Sorry, folks!

This does not mean that there has been a lack of activity here at TechEd. Yesterday, I attended an excellent hands on workshop based on Context Based provisioning.  Any organization that is looking into SAP IDM for the purpose of managing SAP Roles over multiple locations or positions needs to look into Context Based provisioning. I think one can make an excellent comparison between IDM contexts and the Derived Role concept within SAP.  I'll have to write some more on that later, either here or on the SCN Blog. I've also come up with some other interesting ideas for Contexts which I will be working on over the next few weeks.  Hopefully, I'll have something to share soon.

There were also a number of good Q&A sessions where users could go one-on-one with some of the SAP IDM experts that came over from SAP Labs in Trondheim, Norway.  For those that don't know, NetWeaver IDM was born as MaXware Identity Server in Trondheim back in the 1990s and core development still happens there to this day.  Concepts such as Assignments, Approvals and Virtual Directory Server were covered.

Today I was able to attend a session on the use of the Provisioning Framework.  Not too much new there, but it was good to hear that SAP is committed to the Framework and feels that IDM is the best way to provision users to SAP systems. During the presentation, the following general IDM points were brought up that I would like to comment on:

Users should consider IDM over CUP if connections to external applications are required (e.g., Microsoft Active Directory)
IDM should be used over other provisioning methodologies for Audit and compliance reasons
Do not think of SAP or non-SAP roles, privileges, provisioning etc., it is all Enterprise provisioning

I'll have a wrap of of TechEd tomorrow with some closing thoughts.

SAP TechEd 2012: Day 1

Day 1, all I can really say is Wow! I attended sessions on the latest addition to the SAP's Identity Management line up, some of it's oldest technology and the future of the NetWeaver IDM.  After today's session, my mind is completely blown away.

I started the day with two informative sessions on SAP's Single Sign-on Offering based on the technology asset acquisition from SECUDE about 18 months ago. SAP has clearly recognized that information security must begin at the login and proceed from there.  I'm looking forward to learning more about it over the next year or so.  It's a major technology on my radar and should be considered as a key strategic goal for all SAP implementations.

The next session was based on a favorite technology of mine, the Virtual Directory Server (VDS).  Virtual Directory technology has been the "next big thing" in Identity Management for many years now. It appears that SAP's use of Virtual Directory not only as an LDAP proxy, but also as a Web Services Proxy could very well make this the case, particularly in the SAP ecosystem. Miroslav Jokic, SAP's VDS expert, back to the MaXware days gave a great presentation. In an hour long session, Misa gave a thorough overview of VDS, explaining it's architecture, basic use cases and extended use cases when working with Web Services. Clearly this is a technology whose time has come.

The third session of the day dealt with best practices for implementing SAP IDM. While focused on consultants, Kåre Indrøy, presented a good 10 point plan that is applicable to any IDM implementation. In the second half of the presentation, we received an excellent briefing on the new SAP Rapid Deployment Framework for IDM developed by SAP Consulting. While somewhat limited in scope, it certainly does appear to be something that can be quickly implemented for most small to mid-sized clients if all of the pre-requisites are met.

All of these new features will be available in NetWeaver IDM SP 6 which should be available in 2-3 weeks.  Most are also available in SP 5, but not through the Web UI.

Now we come to the Crown Jewel of the day, which was a 2 hour presentation by Kåre and John Erik Setsaas showing the latest functionality to be released shortly in Service Pack 6 for NetWeaver IDM 7.2 and what we can expect to see in the next 6-9 months. Approvals are being enhanced again, making them more functional than ever, particularly where declines and assignments are involved.  Automatic Delegation is now available to designate temporary approvers when the primary approver will not be available.  

NOTE: Everything that follows is conceptual and is not guaranteed to be in any future version of NetWeaver Identity Management.

Trace functionality is also improved with additional control from the Web UI, which will be a boon to IDM developers. Also added to the Web UI is a new SQL Execution reporting interface that will report on database queries that last longer than a predefined limit.  This is a significant enhancement of the Configuration Analyzer's ability to detect inefficient queries and will be something that IDM Administrators will be very interested in.

The last part of the presentation was the really exciting part.  Kåre and John showed us some of the functions that we could be seeing beyond Service Pack 6. Access to the Administration Console looks like it will be getting some tightening along with some locking of objects being worked on in the Admin console. It's been a long standing issue that only one user should be accessing an IDM object in the MMC console at a time (Personally, I'm not found of two people looking at the same configuration at the same time) When the user is done editing and checks the object back in, it becomes available for editing by another IDM administrative user, Additional UME based security is being considered to restrict access to the IDM administrative objects as well.

Also it has been confirmed that DB2 will be supported by IDM in the near future.  The DB2 version will only work if the DB2 Database has been prepared to run in "Oracle Mode"  I'm sure we will be getting more information soon.

The Pièce de résistance of the afternoon was a brief overview of an early alpha version of a new Development UI. I'm not going into a lot of detail here since it was such an early release, but suffice it to say that a 21st century, eclipse based interface is on the horizon, and for those like me who have been working with this interface for the last 8+ years it appears that this will be the answer to our prayers.

I did not cover everything mentioned in these presentations for a couple of reasons.  One, I'd be writing for hours and I need to get some sleep tonight so I can be ready for tomorrow's sessions.  Two, this is SAP TechEd and you should be here.  If you're wondering is it worth it, I say YES! Hopefully this information will make you feel the same way!

SAP TechEd: Preview

I'm here in Las Vegas, Nevada for SAP TechEd 2012 and I could not be happier. It's looking like quite the busy week of IDM related training.  Attendees are arriving and I've already seen a few people I know from SAP, past projects and the greater IDM Community.  From what I've already heard we're in for a week of exciting learning, future product direction and late breaking functionality in the product. In addition to working with IDM this week, I'll be attending several sessions on the SSO solution that SAP purchased from SECUDE last year.  Now that a year has gone by, the product should be fully integrated into the SAP universe and I'm very interested in learning more about it. I was strangely surprised to see very few, if any, SAP GRC solutions in the session listings.  Hopefully, I'll be able to find out what's going on with that. On the other hand, there will be several Virtual Directory Server related sessions which should be quite informative about connecting to various systems and web services.

I'm sure that we will hear the latest news about SAP IDM 7.2.  Service Pack 6 is due shortly and I'm looking forward to getting a few rumors confirmed.  Probably the one to be confirmed first will be around DB2 support. This will be very good for IBM shops where DB2 is used to the exclusion of the other supported databases in IDM, Microsoft SQL Server and Oracle.  This adds greater flexibility to my thoughts in choosing an IDM solution, as one can now expand the database criteria and will answer the pleas for support from many SAP customers that want to get involved with IDM. There are also some rumors about new and improved tools along the lines of the Configration Analyzer.


Also rumored are some MMC improvements, although I have not yet gotten even a rumor of when a redesigned administrative console will be available, although I am assured that it is indeed on the list. I'm hoping to get some information on this during the SAP  NetWeaver ID Management - Latest Functionality and Demo session scheduled for tomorrow.  Hopefully, I'll have some exciting news for the SAP IDM community.

I'm looking forward to seeing / learning / connecting and reconnecting during the week.  Odds are you'll find me at the various IDM and SSO sessions this week if you're here.  Please feel free to introduce yourselves.  I'd like to try and organize some sort of IDM meet up this week, maybe a drink or two one night.  I've received some interest in this.  If you have not contacted me yet, please leave a comment or email me privately.