Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Future direction of User Provisioning Tools ( GRC CUP or IDM)

Former Member

‎10-04-2009 10:53 AM

0 Kudos

Hi Security Colleagues,

We all know that SAP has GRC CUP(Access Enforcer) and NW IDM for provisioing.

We can use either of toll for user provisioning.

Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.

I am noticed that lot of SAP devlopment activity going on around IDM.

Based on SAP's future direction, what is the best tool ?

Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.

please share your thoughts..

Thank You.

6 REPLIES 6

Former Member

‎10-04-2009 5:43 PM

0 Kudos

> 

> Based on your experience , what is the best tool ? ofcourse ,It changes from one company to other depends on requirements.

They are very different tools. CUP is for primarily provisioning SAP (though the connectors can automate a bit more than that).

IdM is an identity management tool which is designed to provision to many different apps. Typically IDM tools are used as the main provisioning tool for applications, network access, email etc. It does depend entirely on how you want to use it. I'm not sure how integrated IDM is with CUP currently but I know a few companies are looking to replace CUA with IDM for provisioning to all the SAP environments. Obviously CUP is more integrated with SAP, wheras IDM will integrate with a lot more apps.

> 

> Its a common problem for most of SAP customers as SAP is giving IDM freely as part of NW license.

That is debatable, plenty of my clients have been asked to pay plenty of money for IDM. There is plenty of noise around it being the eventual replacement for CUA so I can see it's uptake as the product maturity increases.

Former Member
In response to Former Member

‎10-05-2009 9:42 AM

0 Kudos

Also we need separate hardware to maintain IDM.

The IDM 7.1, is now better as it is an enhancement package for enterprise portal.

Regards,

Gowrinadh

sdipanjan
Active Contributor

‎10-05-2009 4:41 PM

0 Kudos

For Futuristic product availabliliy, I always prefer the following two places to check. Can you please also check their?

http://service.sap.com/pam

http://service.sap.com/scl

Check the following Two points under the 2nd Link:

Scenario & Process Component

SAP's Release Strategy

Now based on your query I will also stick to the suggestions given in the Other two posts. To add few more points which you may get helpful I would like to emphasize on the below discussion:

u2022 SAP NetWeaver Identity Management helps companies to centrally manage their user accounts (identities) in a complex system landscape. This includes both SAP and non-SAP systems.

u2022 The solution provides an authoritative, single source of user information and enables self-service management of user information and authorizations using workflow technology.

u2022 In many cases resources such as meeting rooms, PCs and mobile devices, which all may have their own identity in some context, can be included in an identity management solution.

Out of all other points, lets discuss about Provisioning:

u2022 The term provisioning is often used to denote user provisioning or account provisioning.

u2022 The functionality includes:

o creation of accounts

o setting initial passwords

o setting and modifying access rights

o disabling (revoking) an account

o deleting an account

u2022 The overall purpose is to make sure an identity (for example a user) has the correct access to the applications.

u2022 User provisioning products also include workflow capabilities to apply business rules to the account provisioning process and typically provide user self-service capabilities (e.g., password reset)

(All these details I picked up and pasted here from different section of a Solutioning Material I prepared for my company to introduce IDM solutions to my customer... couldn't give here properly due to space constraints). You can understand the Importance SAP is imposing on this product for All aspects of Automating Security and Identity of Living and Non-Living staffs as well. By using this you can get more benefits besides of Provisioning which is available in separate Solutions under other products like Virsa etc. Please go through the relevant materials available in the IDM Forum (Bernhard provided u the link) to understand go for an realization assessment.

regards,

Dipanjan

Edited by: Dipanjan Sanpui on Oct 5, 2009 11:42 AM

sdipanjan
Active Contributor
In response to sdipanjan

‎10-05-2009 4:44 PM

0 Kudos

(Contnd)...

Purpose of Provisioning project

u2022 The most common motivation is to reduce the cost of internal maintenance - This can be lowered by simplifying the account management and automating the process of managing the accounts across repositories.

u2022 Provisioning can also shorten the time needed for account creation, which is especially important in a B2C scenario, where the customers will use a web application to create their accounts.

u2022 Another issue is security. In many cases, "old" accounts still exist after they are no longer in use, posing a security risk.

u2022 Another motivation is regulatory requirements. Initiatives like the Sarbanes-Oxley Act1 and others place high demands on organizations to provide reports on authorization information.

u2022 In addition, segregation of duties (SOD) is becoming more important.

Provisioning u2013 Few Important points to know for IDM as Provisioning Tool

u2022 Persistence plays a key role in the provisioning module. There will always be situations where temporary failures occur, such as network failures or power glitches. Since the SAP NetWeaver Identity Management products uses a reliable relational database for storing the identity information, as well as all provisioning tasks and the state of each of these, it will always be possible to recover from such failures.

u2022 Scalability is another important issue. The provisioning module is limited only by the performance and size of the database and the processing power. Most relational databases today can be scaled by adding more hardware. The SAP NetWeaver Identity Management components can be configured to run on multiple computers, making it possible to add more computers as required.

u2022 The provisioning module stores all logging and audit information within the database and this information is made available through a web application. In addition, any report generator can be used with the database, to produce any report required.

Former Member
In response to sdipanjan

‎10-06-2009 10:52 AM

0 Kudos

Its good documentation Dipanjan.

The main factor I see with IDM is Cost. All the organizations already have active directory's which are high available systems. Now if you want to use IDM as a single application then it also need to be considered as high availability systems. As far I know, very few clients are now ready for IDM. It sill long way to go !!!!!!!!!

Regards,

Gowrinadh

Former Member
In response to sdipanjan

‎10-06-2009 11:33 AM

0 Kudos

Hi Gowrinadh, I think you are right, there is still some way to go.

If we don't use the IDM tool at the enterprise level and just use it for provisioning our SAP apps (i.e. like CUA) then there is more direct competition with CUP.