Company-wide management of user identity data ensures users are described clearly by attributes and have access to all the software applications they need to carry out their duties. It involves much more than simply creating new user accounts. When a new employee joins the company, he is assigned an identity in the central human resources system with specific attributes such as surname, first name, or e-mail address. By means of provisioning, this identity is also provided in all the business applications that the employee needs to access in order to carry out his organizational role and specialist tasks. Subsequently, each modification to the identity data has to be replicated in all relevant systems throughout the life cycle of the user identity until the employee leaves the company and his account is deleted.
The more heterogeneous the IT landscape, the more challenging is the task of providing identities for the user in different software systems. Technology-specific interfaces are required to provision identity data in different manufacturers’ applications. However, these interfaces increase IT complexity and necessitate additional development and maintenance outlay.
Another challenge is to provision identities on a cross-company basis, an aspect that is increasingly in demand in business-to-business collaborations. For example, when a buyer wants to access a supplier’s portal to check a delivery status, he requires an identity and the relevant authorizations in the external IT system. However, it is no more practical or effective to link up each business partner to specific interfaces when provisioning across companies than it is when provisioning within individual companies.
Standards are a well-established means of reducing complexity in this case. Only a single interface and the required provisioning operations have to be defined to provision user identities. Since 2003, this has been carried out using the Service Provisioning Markup Language (SPML). SPML describes and standardizes typical provisioning operations such as Add, Modify, Delete, and Search. SPML, an open OASIS standard, uses established web service technology because the messages required to perform the different operations are written in XML. HTTP is used as the transfer protocol, and SOAP as the application protocol – both of which are also web-service-compatible. SPML merely specifies the format and meaning of the provisioning operations in the body of the SOAP envelope. The standard also specifies that each provisioning operation consists of exactly one request and a corresponding response message.
Take the following SPML provisioning scenario: A human resources system triggers the addition of a new user identity by sending an add request. The request is accepted and processed by a target system known as the Provisioning Service Provider (PSP). The PSP ensures that a new identity matching the details in the SPML request is created in all the relevant backend systems. The attributes of the identity, such as the name, title or e-mail address of the user, and unique identification characteristics such as the user ID are stored in databases or LDAP directories. The PSP then responds by notifying the human resources system whether or not the request has been processed successfully. For example, an error message would be returned if the password infringes a security regulation.
The SPML standard is not used to define which attributes belong to an identity. This is with good reason, because past attempts to standardize cross-manufacturer identity models with particular attributes have been unsuccessful. However, SPML makes it possible to send a standardized schema request to PSP to query what form an identity is to take in the particular system. PSP responds by providing an identity schema containing all the required and optional attributes. In this way, subsequent provisioning requests are configured to meet the requirements of the PSP and the identity stores in the backend systems managed by it.
By enabling network-wide provisioning of identities, the SPML standard is a strategically important technology for SAP. The SAP NetWeaver platform therefore supports Version 1.0 of SPML. An SPML provisioning scenario can be managed in two ways, depending on how user management is organized. In the first method, an SPML service enables the User Management Engine (UME) in the Java stack of SAP NetWeaver Application Server (AS) to process SPML requests, including those from distributed business applications in the network. The standardized SPML interface assumes the role of the PSP. It accepts the SPML request and processes it so that it can be forwarded to the UME via the SAP-specific Application Programming Interface. The UME then stores the identity data in an AS ABAP database, an AS Java database, or an LDAP directory – depending on which form of data storage has been configured for it.
In the second method, the SAP NetWeaver Identity Management component also provides an SPML interface – in addition to wide-ranging add-on functions for defining user roles, central reporting or integrated approval workflows when creating new identities. The advantage of SAP NetWeaver Identity Management over AS Java when it comes to provisioning is that it covers a greater range of backend systems. The component functions as a “broker” and “translator” that processes the SPML request and uses different protocols to provide the identity data in various backends – not only in SAP systems but also in a Microsoft Active Directory, for example. This functionality, and SAP NetWeaver Identity Management generally, come to the fore when the complexity and size of an IT landscape increases.
No matter whether a company chooses to use SAP NetWeaver Identity Management as an fully-fledged tool for company-wide identity management or merely the UME for user management, the advantage of the SPML standard is that provisioning requests from distributed applications and non-SAP systems can be processed in SAP NetWeaver without the need for specific interfaces.
Productivity and security
In general terms, the SPML standard largely automates the provisioning and modification of identities. It is no longer necessary to send administrators an e-mail to request that identities be created and modified manually. SPML makes it possible for an application to query the required schema of the identity automatically, after which PSP automatically processes the appropriately structured request and enables the identity data to be provisioned in the required backend systems. All that remains for the administrator to do is check the activities.
When different partner companies support provisioning with SPML, the standard also increases user productivity by enabling more complex scenarios such as cross-company Single Sign-On. For example, SPML can be used to implement a scenario whereby a buyer, while logging in to his company’s own system, also wants to log in to a supplier’s portal for which he has authorization. Each time he logs in to his own portal, a search request in SPML is sent to the supplier portal to check if a valid user identity exists there too. If not, the required identity is created by means of an add request structured in accordance with the supplier’s schema. If the identity does already exist, the buyer can log in immediately using Single Sign-On. This process of “just-in-time provisioning” is fully automated and saves time and effort for IT administrators. The process simply has to be agreed by both companies in advance.
The automation of routine administrative tasks with SPML usually also requires the activities to be recorded in the audit logs of the relevant systems. This increases the traceability of operations over manual processes – a key condition for satisfying the company’s legal requirements. SPML offers another advantage in this respect by supporting the deprovisioning of identities, which consists in quickly deleting or deactivating user accounts when employees leave or switch roles. Unused user accounts are often the perfect launching pad for successful attacks from the internal or external network, but they can be avoided through central management and automation of the provisioning processes with SPML.