Keep Your Web Applications Sarbanes-Oxley-Compliant by Running CUP for SAP NetWeaver Portal

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • October 16, 2009
SAP BusinessObjects Access Control 5.3 can connect to the SAP NetWeaver Portal for automated user provisioning. Requesters can use the Compliant User Provisioning (CUP) product capability to request access to SAP NetWeaver Portal and select group memberships, portal roles, and User Management Engine (UME) roles. During the approval process, you can execute a risk analysis on the level of iViews and UME actions included in the requested roles to ensure Sarbanes-Oxley compliance with respect to the Web applications accessible through SAP NetWeaver Portal.
Key Concept

SAP NetWeaver Portal runs on SAP NetWeaver Application Server Java (SAP NetWeaver AS Java). Its user administration component is called User Management Engine (UME) and does not come with its own repository for user master data. It is connected to user data sources of the following types: Lightweight Direct Access Protocol (LDAP) directories, the SAP NetWeaver AS Java database, or the user management of SAP NetWeaver AS ABAP. The UME also has UME roles containing UME Actions, which represent access privileges to the SAP NetWeaver AS Java system administration or Web Dynpro business applications running on that server. The user interface of the UME is used to manage users, groups, and roles – including the allocation of portal roles to users or groups.

The Compliant User Provisioning (CUP) capability of SAP BusinessObjects Access Control 5.3 provides a workflow engine for requesting and approving access requests. It can execute auto-provisioning to a variety of systems connected to CUP through agents. The Enterprise Portal Real-Time-Agent (EPRTA) can be installed on an SAP NetWeaver Portal to provide connectivity to CUP for provisioning. Through internal service calls, CUP interfaces with the Risk Analysis and Remediation (RAR) capability of SAP BusinessObjects Access Control and allows for the execution of a risk analysis and allocation of mitigation controls to reported risk violations during request approval.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.