Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Integrated SAP Solutions

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • July 1, 2009
Efficient processes for identity management (IDM) are a challenge to many companies — in particular when access- and authorization-related risks must be managed and taken under consideration prior to provisioning access privileges. SAP BusinessObjects Access Control 5.3 comes with a Web service-based interface intended to provide risk analysis and mitigation features to IDM solutions. See how to integrate one such solution, SAP NetWeaver Identity Management 7.1, with SAP BusinessObjects Access Control 5.3 to obtain a highly cost-efficient solution for compliant IDM.
Key Concept

SAP BusinessObjects Access Control 5.3 comes with a product capability for approval workflows and access provisioning called Compliant User Provisioning (CUP) and a Web service-based interface. This interface allows for the creation of access requests in CUP triggered by external systems. IDM solutions can use this interface to forward entitlements for ERP systems to CUP, where compliance managers can perform detailed risk analysis and mitigation before the entitlements are provisioned in the target systems.

Enterprises have to be highly flexible to adapt to change and take advantage of new business opportunities. This creates pressure to rapidly deploy new applications and systems, and expose them internally and externally to employees, partners, and customers. In such an environment, information on identities — employees, partners, and customers — relevant for business processes and applications is spread across heterogeneous and incompatible sources coming with different data formats and access protocols. This lack of a central source for identity information leads to inconsistent and out-of-date information, which in turn weakens overall information security and reduces efficiency of key processes, such as on-boarding of employees or provisioning of required access permissions to customers and business partners.

The prime objective of identity management (IDM) is to overcome these deficiencies, centrally manage all identity data, and ensure high data quality. Another important requirement enterprises must meet is to comply with regulations such as the Sarbanes-Oxley Act, which deals with identification and prevention of access- and authorization-related risks. These legal requirements directly affect provisioning of access privileges to business applications. You need to implement appropriate mechanisms to prevent access to business transactions that in combination represent a violation of segregation of duties (SoD) risks. These mechanisms require complex and detailed rules for risk identification in complex business applications from multiple vendors such that they remain beyond the scope of IDM solutions. Consequently, there is currently no single product for compliant IDM available in the market delivering efficient provisioning of identity data and access privileges as well as Sarbanes-Oxley compliance across a heterogeneous system landscape.

However, you can combine SAP BusinessObjects Access Control 5.3 with IDM solutions to provide an efficient solution for Sarbanes-Oxley-compliant IDM across a heterogeneous system landscape. After an overview of the product capability Compliant User Provisioning (CUP) and its Web service-based interface to IDM solutions, I’ll continue with an introduction to SAP NetWeaver Identity Management 7.1, which represents a powerful combination of the meta-directory and virtual directory concepts. Using the example of SAP NetWeaver Identity Management, I’ll describe a scenario in which you can combine these SAP products to create a highly automated and SAP ERP Human Capital Management (HCM)-integrated solution for Sarbanes-Oxley-compliant IDM.

Let’s start with a couple of technical concepts upon which most IDM solutions are based.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.