Identity Management: Clever Integration of SAP Systems

Modern identity management solutions facilitate flexible business process design, connect employees with business partners, and manage the authorizations of everyone involved in a manner standardized throughout the respective company. In other words, they are indispensible to everyday business.

However, major operational restructuring or the purchase of another company can transform a monolithic single-vendor architecture into a heterogeneous identity management environment. In such situations, IT managers must often choose from several options: continuing with their current configuration, migrating, or integrating various solutions.

Identity management (IdM)

In this context, the term “identity” refers to the digital representation of a person, along with all of his or her forms of identification, authorization, and personal attributes. Identity management comprises the holistic administration of these identities throughout their entire life cycle (creation, modification, deletion). In most cases, this also includes automated assignment and adjustment of authorizations, as well as the creation, modification, and deletion of user accounts in the IT systems connected to the identity management system in question. Defined more broadly, identity management can also cover functions such as user self-services, approval workflows, password resets, and auditing.

At first glance, continuing as before with the same solutions seems reasonable: It costs nothing extra and it works. However, the IT department responsible for the solutions will then no longer be able to function optimally when integrating new business units. Imagine if employees had to use two different clients to search for a colleague in a common address directory, depending on the area or country in which the colleague worked!

Here, a standard user interface is just as crucial as data exchange interfaces.

Business as usual or migration?

Assuming that a company has to modify its solutions, some would argue that it should then take the opportunity to migrate to a common platform. However, this option is only feasible with relatively few employees, and when standard functions are performed by all of the products involved.

A merger of similarly sized companies then raises the question which half of existing licenses the companies should replace with new ones from a different provider. Taking this approach, the merging parties would also have to write off investments made in installation, customizing, and training.

Failure to choose any of the possible options and opt instead for a “neutral” solution from a third-party provider for political reasons can be even worse. If the identity management solution a company plans to integrate is capable of managing only a comparatively small amount of employee data, this would be another argument against migration.

A company can integrate target systems that may not see use elsewhere in the organization – such as enterprise resource planning (ERP) and human resource management (HRM). Products the company uses in other areas also might not immediately support the systems. Integrating systems into a developed SAP landscape is an example of such a situation.

Specific processes for user and role management

Central User Administration

For years, SAP’s Central User Administration was the solution of choice for many customers seeking to manage and assign authorizations centrally from an SAP system.

Connecting SAP systems to an identity management system can be very complex due to the heterogeneous nature of SAP software. The SAP NetWeaver technology platform and SAP Business Suite do help map business processes across companies, but both implement their own processes for user and role management.

In addition, individual SAP entities have to be integrated separately when they work partially or completely without Central User Administration, SAP’s integration solution. Since SAP has ceased further development of the solution, companies will need to exclude it in any event from their medium-term plans.

Should any of the available identity management solutions offer particular advantages concerning the integration of SAP systems, using the solution as a dedicated identity management subsystem for SAP is advisable. The criteria involved include:

•SAP certification
•The number of connectors to various SAP versions and systems
•Existing connections and their functions

Software from most providers – including Novell, Siemens, Sun Microsystems, and IBM – is able to integrate the user administration functions of SAP ERP, SAP ERP Human Capital Management (SAP ERP HCM), and SAP NetWeaver Portal and automatically create and delete accounts. However, not every solution is able to also synchronize user and portal roles and authorizations.

Using an identity management solution as a subsystem


Service Provisioning Markup Language (SPML) is an XML-based framework that aids cooperating organizations in exchanging information on users, resources, and services. SPML makes it possible to create, customize, and delete user accounts on any target systems (including SAP) in an automated fashion. This process is known as provisioning.

As a subsystem, an identity management solution takes over the synchronization of individual SAP systems and components with user and authorization information received from the central identity management system. To this central system, all of the SAP systems then appear as a single target system. Meanwhile, the subsystem handles detailed synchronization for the individual SAP systems.

In the process, the subsystem can take on the logical preprocessing of user data. This can involve, for example, the consolidation of information on an employee who is maintained in multiple personnel systems due to delegation.

When required, the identity management subsystem can also implement current identity management interfaces such as SPML to traditional SAP interfaces, among them BAPI/JCo
(if the components integrated do not all support SPML or Web services).

SAP interfaces required

Connecting to SAP software is more than a matter of course in this context: Depending on the implementation at hand, interfaces to SAP’s human resources, user administration (either directly or through Central User Administration), and customer data management systems – as well as to SAP NetWeaver Portal – can be required. However, the level and complexity of SAP integration offered by identity management solutions on the market vary beyond the scope of this article.

A number of analysts and consultants have since begun to specialize in the analysis and evaluation of the approaches of the different identity management providers who deal with SAP, as well as those of SAP itself.

In doing so, they observe more than just the pure synchronization of user information among different IT systems (also referred to as meta-directory functionality); these consultants also focus on the more general, application-oriented management of user accounts, roles, access rights, and the requirements of governance, risk, and compliance (GRC) management.

Multivendor architecture also an option

Opting for a multivendor architecture that implements identity management products from various providers often proves to be the best choice. Following the technical integration, however, companies should also begin harmonizing the conceptual approaches involved. This will not happen overnight: Identity management is an ongoing company process.

Due to increasing requirements (role management), legal circumstances (compliance), and technological developments (service-oriented architecture), said process requires constant adjustment based on clear release planning that meets all of these needs. This should include the integration and ongoing development of multivendor identity management to eliminate many potential difficulties before they arise.

Integrated parallel operations always require task sharing among the connected systems, which can depend on regional structures, the type and number of integrated systems, certain user groups, functions provided, or other factors. That said, companies typically seek to implement task sharing with increased functional classification, thereby making the most of the specific strengths of their respective identity management systems.

SAP NetWeaver Identity Management

The software component SAP NetWeaver Identity Management facilitates the centralized management and provision of user and role information in heterogeneous IT environments, regardless of whether the applications involved are from SAP. Companies can use the component to make it easier for their users to access critical online applications and other resources, as well as monitor their activity. SAP NetWeaver Identity Management protects confidential personnel and business data from unauthorized users and reduces the effort and costs involved in managing access rights and passwords.

More information on SAP NetWeaver Identity Management