Extensible Authorization for SAP Applications Webinar
1 like957 views
The document discusses the challenges of access management in SAP applications and introduces the OASIS XACML standard as a solution. It highlights how Nextlabs' Entitlement Manager can enhance authorization and compliance by providing more granular control and reducing the complexity of role management. The presentation concludes with the benefits of implementing XACML for SAP customers, such as cost reduction and improved authorization consistency across multiple applications.
Extensible Authorization for SAP Applications Webinar
- 1. Extensible Authorization for SAP Applications Andy Han, VP Product Management, NextLabs, Inc. © 2005-2012 NextLabs Inc.
- 2. Agenda Objectives Highlight relevant access management challenges Learn about the OASIS XACML standard Understand the benefits of XACML to SAP customers Presentation Access Management Challenges Introduction to XACML NextLabs Entitlement Manager for SAP Benefits of XACML to SAP Customers Question and Answers Slide 2 © 2005-2011 NextLabs Inc.
- 3. Access Management Challenges Slide 3 © 2005-2011 NextLabs Inc.
- 4. Enforcement Granularity “We can give her the role, but we can’t limit what data she can see” Product A Product B Product C Product D Product E Supplier Granted Access Required Access Leads to too much access, custom authorization logic and/or complex roles Slide 4 © 2005-2011 NextLabs Inc.
- 5. Discretionary Authorization “Please have you manager approve access” • Why should or shouldn’t you manager approve access? • Role purpose • Job function and assignments • Least privileges • Compliance requirements • Existing access • Trust • When should your access be revoked? Slide 5 © 2005-2011 NextLabs Inc.
- 6. Role Explosion “We have 20,000 users and 25,000 roles” Companies have multiple access drivers Functional Roles Compliance Regulations (e.g. ITAR, DOE, PCI) IP Control Agreements (e.g. PIEA, NDA) Multiple Applications and Systems (e.g. PLM, ERP, CRM) Traditional role based access control (RBAC) explodes based on the number of variables Required Access Rules Number of Access Variables Slide 6 © 2005-2011 NextLabs Inc.
- 7. Introduction to XACML An authorization architecture and a standard policy language. eXtensible Attribute-based access Access control (ABAC) Control Markup Simultaneous policy Language evaluation with combined decisions Slide 7 © 2005-2011 NextLabs Inc.
- 8. Native Authorization Role-Based Authorization controls access to application resources (e.g. functions, transactions) Application Business Logic controls access to Business Logic data resources (e.g. accounts, service RBAC requests) Optionally access governance manages roles (e.g. GRC Access Data Controls) Slide 8 © 2005-2011 NextLabs Inc.
- 9. XACML Authorization Architecture Authorization Business Logic Policy Administration Point externalized (PAP) Reduce customization Bus AuthZ Increase flexibility Logic AuthZ logic independent of business logic Application PIP PEP Policy Decision Point (PDP) Role-Based AuthZ Concept Authorization can still control access to application resources Policy Information Data Point (PIP) Optionally access governance manages roles (e.g. GRC Access Controls) Slide 9 © 2005-2011 NextLabs Inc.
- 10. Universal Data Authorization Policy Business authorization Administration Point logic externalized (PAP) Application Data AuthZ PIP pplication A PEP Policy The same policy can Application PIP PEP be used across AuthZ Concept PIP PEP multiple applications AuthZ Concept Policy Decision Point (PDP) AuthZ Concept Consistent access to data in multiple applications Policy Information Point (PIP) Slide 10 © 2005-2011 NextLabs Inc.
- 11. XACML Policy Language Policy Set Target Policy-Combining Combining Algorithms Deny-overrides, Permit-overrides, First- Policy (1..n) applicable and Only-one-applicable. Target Target Rule-Combining Defines policy/rule applicability Subject Rule (1..n) Action Target Resource Condition Effect Other Obligations Advise Conditions Determine the Effect, Obligations Effect Obligations Effects Advise Allow / Deny Obligations and Advise Obligations Additional actions to be performed Advise Slide 11 © 2005-2011 NextLabs Inc.
- 12. NextLabs Policy Studio Slide 12 © 2005-2011 NextLabs Inc.
- 13. Attribute-Based Access Control (ABAC) Allow only US Engineers to access Project X Specifications from US Offices Subject Location = US AND Department = Engineering Resource Project = Project X AND Type = Specification Environment Network Address = 192.168.* Attribute-based rule retails business intent. Provide fine-grain, data level control. Slide 13 © 2005-2011 NextLabs Inc.
- 14. Policy Combining Deny Override Policy 1 (IP Control) Andy ALLOW Access Material A Application Policy 2 PIP PEP Policy Decision Point (Export Compliance) (PDP) AuthZ Concept ALLOW DENY Policy 3 (National Security) Policy Information DENY Data Point (PIP) Manage Access Rules Independently. Reduces the number of authorizations Slide 14 © 2005-2011 NextLabs Inc.
- 15. Scales Linearly with Authorization Drivers Manage Access Drivers Independently. Reduces the number of rules to manage. Required Access Rules Number of Access Variables Slide 15 © 2005-2011 NextLabs Inc.
- 16. Entitlement Manager for SAP Out-of-the-box SAP application integration Entitlement Packs ECC DMS PLM CRM Entitlement Services Security Classification Access Control Integrated Rights Entitlement Manager for SAP Management Integrated Security Audit Classification ABAC Rights Audit Management XACML Policy Management Control Center SAP Policy Model Policy Management Identity Data Remediation Extensible to Customer Programs Slide 16 © 2005-2011 NextLabs Inc.
- 17. Security Classification Central Management of Data Security Classification Attributes Provides Extensible Attributes Classification Inheritance (e.g. Document to Material Associations) Policy Based Classification Rules Granular Classification (Transaction and Document Level) Can be used to classify a BOM, separate from individual Materials UI, Batch Import and RFCs Slide 17 © 2005-2011 NextLabs Inc.
- 18. Attribute-Based Access Control Fine-grain access control to data based on data classification, user attributes (e.g. US Person) and location Policy messages to educate users on restrictions Audit of activity and policy Fully integrated in SAP UI (Web UI, Portal, SAP GUI, EasyDMS) Slide 18 © 2005-2011 NextLabs Inc.
- 19. Record Keeping and Reporting Dashboards Role based dashboards for easy access to most critical analysis Analytics Multi-dimensional summary analysis Trend Analysis End to End Activity Audit Data access, use and distribution across applications Details required for Incident Investigation and Response Compliance Audit Policy Enforcement Policy Based Activity Audit Personal and Shared Reports Slide 19 © 2005-2011 NextLabs Inc.
- 20. Benefits of XACML to SAP Customers Address compliance or security requirement not met by standard roles. Reduce the number of managed roles, especially for data level authorization. Drive authorization by rules, reduce discretionary access. Reduce cost of implementing and maintaining custom authorization logic. Leverage policies in multiple SAP and non-SAP applications for consistent authorization. Improve ability Slide 20 © 2005-2011 NextLabs Inc.
- 21. SAP Endorsed Business Solutions (EBS) An SAP Ecosystem “By Invitation Only” Program Endorsed Business Solutions P Complementary solutions selected by SAP Product and Industry groups P Application level integration with 3 month solution qualification to ensure end-to-end business process P Product roadmap guided by SAP based on Cooperative Development Agreement P Endorsed by SAP and sold by partners © 2011 SAP AG. All rights reserved. Confidential 21
- 22. Co-organized by NextLabs and SAP NextLabs Overview NextLabs Entitlement Manager is an SAP-Endorsed Business “We allow companies to preserve Solution confidentiality, prevent data loss and ensure compliance across Policy-driven, information risk management software for Global more channels and more points 5000 enterprises. with a single unified solution with Help companies achieve safer unmatched user acceptance and and more secure internal and total cost of ownership.” external collaboration Ensure proper access to applications and data - Keng Lim, Chairman and CEO Facts Locations HQ: San Mateo, CA Boston, MA Hangzhou, PRC Malaysia 25+ Patent Portfolio Major go-to-market Partners: IBM, SAP, HCL Slide 22 © 2005-2011 NextLabs Inc.
- 23. Thank You! Questions? Ruth Stephens: 650-356-4801, ruth.stephens@nextlabs.com Contact Ruth for more information: Request our whitepaper on SAP dynamic authorization and access control Request to view a self-running demo Schedule a meeting with Ruth Stephens to learn more about our Information Risk Management solutions for SAP Slide 23 © 2005-2011 NextLabs Inc.
Editor's Notes
- #8: While some of you may be familiar with XACML, others may not. So to level set, here is a quick introduction to XACML. XACML, is an standard developed within the OASIS standards organization. Its objective is to provide a model for authorization that is not tied to any specific application or product. This would allow companies to define their authorization logic in a way that is centralized, can be used across multiple applications, and can be interoperable across products from different vendors. Many of the leading technology companies support XACML and their are many commercial products that support the standard.XACML defines a standard Authorization Architecture and standard language for expressing authorization policy.XACML is based on a concept called Attribute-Based Access Control, or ABAC, which offers greater flexibility and expressiveness than traditional Role-Based Access Control models.Finally, one of the most valuable characteristics of XACML is that it allows an access control decision to be based on the simultaneous evaluation of multiple policies.Let’s take a look at these in a little more detail
- #9: If you look at a traditional authorization, native to an application you will generally see two types of authorization logic, a Role Based model like the SAP authorization concept, and business logic that in some cases is provide business processs specific authorization. For example, in CRM this may be logic that says a users needs to be assigned to an account team to view and account.This type of Business Authorization Logic, is where we find a number of SAP customers having to customize SAP by either writing code or creating customer authorization objects. A third and important components is access governance to help manage the assignment of roles to users and requisite compliance processes.
- #11: Another benefit of externalizing this business authorization logic is now the same logic can be applied to multiple applications. So for example, if you have multiple applications in your environment that manage similar data you can write a policy once regarding those data resources and apply them across all applications where that data exists. This eliminates access management silos and ensures the controls are consistent.