Optimize Application Integration by Running Risk Analysis and Remediation for SAP NetWeaver Portal

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • September 25, 2009
/IT
The Web-based environment of SAP NetWeaver Portal provides business users in your organization secure access to a wide array of SAP and non-SAP applications, information, and services, such as SAP ERP, analytics, business intelligence, and document repositories. The diversity of content delivered to your business users through SAP NetWeaver Portal may come with user access-related risks to analyze, monitor, and mitigate. Learn how to integrate SAP NetWeaver Portal into SAP BusinessObjects Access Control 5.3 and include it in your risk analysis and risk mitigation.
Key Concept

SAP BusinessObjects Access Control 5.3 comes with a Java component containing an SAP NetWeaver Portalreal-time agent called the Enterprise Portal Real-Time-Agent (EPRTA), which you have to deploy on your portal server. The EPRTA, which is what it is called in SAP BusinessObjects documentation, provides connectivity between your SAP BusinessObjects Access Control server and your SAP NetWeaver Portal 7.0 Support Package 12 or higher for real-time risk analysis and user provisioning. Portal content is accessed through iViews, which represent the smallest unit of the portal user interface. iViews are granted to portal users and groups via portal roles. In addition, the portal runs on a SAP NetWeaver Application Server Java, which employs the User Management Engine (UME) to store user-related data.

SAP NetWeaver Portal provides unified access to SAP, third-party, and custom or legacy applications. This includes Single Sign-On (SSO) capabilities and role-based access for your business users to these applications. From a GRC perspective, this comes with additional access-related risks and opportunities for better control.

On one hand, access to a large variety of applications may also include access to confidential data or additional segregation of duties (SoD) issues that arise from lightweight Web-enabled applications, which aren’t very well-covered in your risk analysis and reporting setup.

On the other hand, the Enterprise Portal Real-Time-Agent (EPRTA) offers the opportunity to include these applications in a simple manner into your risk analysis and risk mitigation. This is possible as long as the applications don’t come with an intrinsic authorization concept that you must take into account during risk analysis. The EPRTA only reports on access to iViews and User Management Engine (UME) actions resulting in SoD and critical action risks. It is unaware of the details of the applications running in these iViews. For example, if iViews contain SAP applications that are secured via the ABAP authorization concept in your SAP back-end systems, then there is little value in adding a second layer of risk analysis on the iView level in SAP NetWeaver Portal. Instead, you should include these applications in the risk analysis you run directly against these SAP back-end systems.

In summary, the EPRTA comes with the following business benefits:

  • Simple integration of a variety of Web-enabled applications into your risk analysis

  • Risk mitigation for these applications

  • Simple reporting of access to critical roles in the portal such as roles for super-administrators, user administrators, and content administrators

  • Real-time reporting using the standard SAP BusinessObjects Access Control reporting capabilities already known to your internal control and security team

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.