Scribd
Upload
53 views21 pages

SAP Cloud IAG AdminGuide

Uploaded by

Trinadh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views21 pages

SAP Cloud IAG AdminGuide

Uploaded by

Trinadh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

Administrator Guide: Enablement and Configuration CUSTOMER

Document Version: 1.0 – December 2016

SAP Cloud Identity Access Governance

© Copyright 2016 SAP SE or an SAP affiliate company.


Administrator Guide: Enablement and Configuration

Typographic Conventions

Type Style Description


Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as
they appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F 2 or E N T E R .

SAP Cloud Identity Access Governance


2 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

Document History

The following table provides an overview of the most important document changes.
Version Date Description
1.00 December 2016 Initial release

Target Audience
The administrator guide is written for the following audience:
• Technology consultants
• System administrators

SAP Cloud Identity Access Governance


3 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

Table of Contents
1 Overview ......................................................................................................................................... 5
1.1 Integration Scenario ................................................................................................................ 5
1.1.1 Components .................................................................................................................... 6
2 Prerequisites and Technical Requirements ...................................................................................... 8
2.1 Prerequisite: NetWeaver Basis Support Packs ......................................................................... 8
2.2 Required RFC User for IAG on Target System .......................................................................... 9
3 Enabling the IAG Service ............................................................................................................... 11
4 Setting up User Authentication and Application Access ................................................................ 12
4.1 Creating User Groups and Assigning Roles in HCP ................................................................. 12
4.2 Maintain Users and User Groups in SCI .................................................................................. 14
4.3 Maintain SCI as Identity Provider for HCP Tenant .................................................................. 15
5 Maintaining Security for IAG Internal Communication .................................................................. 16
6 Maintaining Cloud Connector Security ...........................................................................................17
6.1 Installing the HANA Cloud Connector .....................................................................................17
6.2 Maintaining the HANA Cloud Connector ............................................................................... 18
6.3 Maintaining Destinations for HANA Cloud Connector ........................................................... 19
7 Support Information...................................................................................................................... 20
8 Reference Information .................................................................................................................. 20
9 Copyright / Legal Notice ................................................................................................................ 21

SAP Cloud Identity Access Governance


4 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

1 Overview

SAP Cloud Identity Access Governance (IAG) is built on the SAP HANA Cloud Platform (HCP). IAG uses
SAP NetWeaver APIs to fetch data from target systems and perform access analysis.

1.1 Integration Scenario

This document and diagram covers only information for the scenario of IAG fetching data from SAP
target systems behind a firewall and using SAP Cloud Identity (SCI) for user authentication with HCP
applications.

For additional information about security, see the SAP Cloud Identity Access Governance Security Guide.

SAP Cloud Identity Access Governance


5 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

1.1.1 COMPONENTS

The diagram below illustrates components in the IAG architecture.

Note: This document and diagram covers only information for the scenario of IAG fetching data from
SAP target systems behind a firewall and using SAP Cloud Identity (SCI) for user authentication with
HCP applications.

Components Fig 1:

Components table

Component Description
SAP Target System (On This is the customer target system which contains the data to be analyzed.
Premise and S/4 HANA
Cloud)

SAP Cloud Identity Access Governance


6 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

IAG API The IAG API extracts data from the target system. The API is part of
NetWeaver, therefore you need to upgrade your system to the required NW
version. Refer to Section 2 for a list of supported NW versions and support
packs.

SAP HANA Cloud Connector SAP HANA Cloud Connector sits behind the firewall and establishes
connectivity between HCP and the target system.

IAG Services IAG services include: Access Analysis, Role Engineering, Certification, and
Access Approver.

IAG Technical Components IAG components include: Repository, Scheduler, Reporting/Analytics, Data
Level Security, and Users and Roles.

SAP Cloud Identity (SCI) SAP Cloud Identity is used for user authentication. A trust relationship is set
between the HCP and SCI tenants to enable authentication of users logging in
to use IAG.

SAP Cloud Identity Access Governance


7 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

2 Prerequisites and Technical Requirements

This document assumes the following prerequisites have been completed:

• You have upgraded the target system to one of the supported NetWeaver versions and support
packs. For more information, see 2.1 NetWeaver Basis Support Packs.
• You have created the required RFC user. For more information, see 2.2 Required RFC User for
IAG
• Your HCP and SCI Tenant Accounts have been created by SAP. You have received the
respective tenant account information and activation notification.

2.1 Prerequisite: NetWeaver Basis Support Packs

You have upgraded the target system to one of the supported NetWeaver versions and support packs.

The IAG Data Extractor API is included in the following NetWeaver versions and support packs.

NetWeaver Version Support Pack


NW 700 SP34
NW 701 SP19

NW 702 SP19
NW 710 SP21
NW 711 SP16
NW 730 SP16
NW 731 SP19
NW 740 SP16
NW 750 SP04

SAP Cloud Identity Access Governance


8 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

2.2 Required RFC User for IAG on Target System

An RFC user is needed in the target SAP system to allow communication with IAG using the SAP HANA
Cloud Connector.

Create an RFC user with the authorization objects and values listed in the table below.

RFC Authorization Objects Table


Object Description Authorization Value
Fields
S_RFC Authorization check for RFC Access ACTVT 16
RFC_NAME SIAG
BAPT RFC1
SDIF
SDIFRUNTIME
SDTX
SUSR
SUUS SU_USER
SYST SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at transaction start TCD SU01
S_TABU_DIS Table maintenance ACTVT 3
DICBERCLS &NC& SC
SS
ZV&G
ZV&H
ZV&N
S_TOOLS_EX Tools Performance AUTH S_TOOLS_EX_
Monitor A
S_GUI Authorization for GUI ACTVT S_GUI
activities
S_USER_AGR Authorizations: role check ACTVT *
ACT_GROUP *
S_USER_AUT User Master Maintenance: Authorizations ACTVT *
AUTH *
OBJECT *
S_USER_GRP User Master Maintenance: User Group ACTVT *
CLASS *
S_USER_PRO User Master Maintenance ACTVT *
Authorization Profile PROFILE *
S_USER_SAS User Master Maintenance: System-Specific ACTVT 01
Assignments 06
22

SAP Cloud Identity Access Governance


9 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

ACT_GROUP *
CLASS *
PROFILE *
SUBSYSTEM *
S_USER_SYS User Master Maintenance: System for ACTVT 78
Central User Maintenance
SUBSYSTEM *
S_USER_TCD Authorizations: transactions in roles TCD *
S_USER_VAL Authorizations: filed values in roles AUTH_FIELD *
AUTH_VALU *
E
OBJECT *
S_DEVELOP ABAP Workbench ACTVT *
DEVCLASS SUSO
OBJNAME SIAG*
OBJTYPE FUGR
P_GROUP *

SAP Cloud Identity Access Governance


10 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

3 Enabling the IAG Service

You must do the following to enable the IAG service.

1. Log into your HCP tenant account.


2. In the HCP Cockpit, enable the following services:
• SAP Cloud Access Governance
• Portal Services (if not already enabled)

SAP Cloud Identity Access Governance


11 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

4 Setting up User Authentication and Application Access

IAG uses SCI for authentication, and uses user groups to manage access to specific IAG tiles. IAG
business users are mainly divided between 3 user groups based on the tasks they need to perform.
These groups are propagated to SCI and HCP to establish end to end authorization.

To enable user authentication and user access to IAG applications, do the following:

1. Set Up User Groups and assign them the delivered IAG roles in HCP. See section 4.1
2. Set up Users and User Groups in SCI. See section 4.2.
3. Set up SCI as an Identity Provider for the HCP Tenant. See section 4.3.

4.1 Creating User Groups and Assigning Roles in HCP

Launchpad configuration in Portal Services protects access of the tiles. Only users with certain roles can
see certain tiles thus restricting access to specific IAG functionality that only their role allows.

IAG delivers the following roles. Assign them to User Groups to enable control of access to IAG
applications.

Group and Roles

Create this Group Assign the Group this Group can Access To carry out these tasks
Role these Applications
IAG Administrator IAGgroup
• Setting up connections between
IAGAdmin
the app to the target systems
IAGjobhistory • Setting up recurring jobs for
IAGjobscheduler synchronizing data from target
IAGtechroleoverview systems
• Setting up recurring jobs for
analyzing access data
• View and maintain technical
roles synched from the target
systems

Create this Group Assign the Group Group can Access these To carry out these tasks
this Role Applications
IAG Compliance Team IAGaccessanalysis
• Analyzing access risks
IAGCompliance
• Remediating access risks
IAGcontrolmonitor
• Refining access
IAGdashboard • Mitigating risks
IAGunassignedaccessreport • Auditing access compliance
IAGunusedaccessreport
IAGactivelyusedaccessreport

SAP Cloud Identity Access Governance


12 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

Create this Group Assign the Group this Group can Access To carry out these tasks
Role these Applications
IAG Application IAGbusinessprocess
• Setting up master data in the app
IAGAppConfig
Configuration • Setting up parameters for
IAGmitigationcontrol
analyzing access data
IAGrulesetup
IAGtestplan

For more information, see SAP HANA Cloud Platform.

SAP Cloud Identity Access Governance


13 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

4.2 Maintain Users and User Groups in SCI

1. Log in to the SCI tenant, and add application users for your company.

For more information, see SAP Cloud Identity Service > User Management.
https://help.hana.ondemand.com/cloud_identity/frameset.htm?228428f9f476449cafd841a68d75b
234.html#loio228428f9f476449cafd841a68d75b234

2. Create 3 user groups per the Groups Table below.

For more information, see SAP Cloud Identity Service > User Groups.
https://help.hana.ondemand.com/cloud_identity/frameset.htm?ddd067c899f94e2f9006cc4dd417b
e80.html

3. Assign the users to groups.


For more information, see SAP Cloud Identity Service > User Groups > Assign Groups to Users.
https://help.hana.ondemand.com/cloud_identity/frameset.htm?bfdeb9c00bf14f6d9f5dbd9603c96
996.html

IAG Groups
Group Related Tasks
IAG Administrator
• Setting up connections between the app to the target systems
• Setting up recurring jobs for synchronizing data from target systems
• Setting up recurring jobs for analyzing access data

IAG Application Configuration • Setting up master data in the app


• Setting up parameters for analyzing access data

IAG Compliance Team


• Analyzing access risks
• Remediating access risks
• Refining access
• Mitigating risks
• Auditing access compliance

SAP Cloud Identity Access Governance


14 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

4.3 Maintain SCI as Identity Provider for HCP Tenant

IAG uses SCI to provide identity authentication.

To enable SCI as your identity provider, set up trust between your SCI and HCP tenants.

1. On the HCP Cockpit, generate the key pair for Local Service Provider, and save and download
the metadata.
2. On the SCI Cockpit, create a custom application for IAG, which will be used to communicate
with the HCP account.
3. Select the application, and upload the Local Service Provider metadata from the HCP tenant.
4. In the Tenant Setting tile, download the metadata file for the SCI tenant.
5. On the HCP Cockpit, configure the Identity Provider by uploading the SCI metadata.
6. On the HCP Cockpit, define the Assertion-based groups Mapping Rules as Groups.
This mapping rule propagates the users from SCI to HCP user group so that users can
gain access to application via HCP Roles.

For more information on SCI and HCP trust configuration, see SAP Cloud Identity Service .

SAP Cloud Identity Access Governance


15 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

5 Maintaining Security for IAG Internal Communication

IAG uses OAuth to protect communication between the IAG Provisioning and Repository services.

Do the following to set up OAuth for IAG services:

1. Set up OAuth clients for Repository and Provisioning.


1.1 Log into the HCP Tenant account and go to Security > OAuth.
1.2 Go to the Client tab and click Register New Client and register two new clients: Repository
and Provisioning.
1.3 In the Subscription field:
• For the Repository client, select w…/iagrepository.
• For the Provisioning client, select w…/iagprovisioning.
1.4 For Authorization Grant, select Client Credentials.
1.5 In the Secret field, enter the password.

Use the ID and password information for step 2.


2. Maintain Destinations for the OAuth clients.
2.1 In the left navigation, click Destinations. Two clients are already provided for you.
• OAuthService
• AccessAnalysis (Repository Service)
2.2 Update them with the Client ID and Password from step 1.
2.2.1 Click the OAuthService destination, and update it with the information from the
Provisioning client. In the User field, enter the Client ID. In the Password field, enter the
password from the Secret field.
2.2.2 Click AccessAnalysis (Repository Service) destination, and update it with the
information from the Repository client. In the User field, enter the Client ID. In the
Password field, enter the password from the Secret field.

For information on OAuth roles, see the SAP Cloud Identity Access Governance Security Guide.

SAP Cloud Identity Access Governance


16 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

6 Maintaining Cloud Connector Security

SAP HANA Cloud Connector serves as the link between on-demand applications in SAP HANA Cloud
Platform and existing on premise systems.

The Cloud Connector runs as an on premise agent in a secured network and acts as a reverse invoke
proxy between the on premise network and SAP HANA Cloud Platform.

For more information, see https://help.hana.ondemand.com/→ SAP HANA Cloud Platform → Services →
Connectivity Service → SAP HANA Cloud Connector.

Refer to the following topics:

1. Install the Cloud connector.


2. Set up mutual authentication between the Cloud connector and a back-end system:
Initial Configuration
Initial Configuration (HTTP)
Initial Configuration (RFC)
3. Allow your Web application to access a back-end system on the intranet:
Configuring Access Control (HTTP)
Configuring Access Control (RFC)
4. Connect your Web application to an on premise system:
Consuming Back-End Systems (Java Web or Java EE 6 Web Profile)

6.1 Installing the HANA Cloud Connector

The SAP HANA Cloud Connector runs as an on-premise agent in a secured network and acts as a
reverse invoke proxy between customer on-premise network and SAP HANA Cloud Platform. Due to its
reverse invoke support, you don't need to configure the on-premise firewall to allow external access
from the cloud to internal systems.

Follow the steps for Installing the HANA Cloud Connector. Install the scenario: Connecting Cloud
Applications to On-Premise Systems.
https://help.hana.ondemand.com/help/frameset.htm?e6c7616abb5710148cfcf3e75d96d596.html

SAP Cloud Identity Access Governance


17 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

6.2 Maintaining the HANA Cloud Connector

Pre-requisite: You have already activated your user (Pxxxx) in SAP Cloud Identity and have
administrator access to this account.
Example of Admin SCI URL: https://<CompanyName>.accounts.ondemand.com/admin/

Note: For the following, maintain one HANA Cloud Connector for each target system.

1. Login to your SAP HANA Cloud Connector and create a new account.
Go to Account Dashboard and click Add Account.
2. Enter the following details and save the data:
• Landscape Host - us2.hana.ondemand.com if your cloud tenant hosted in US data center or
eu1.hana.ondemand.com if it is hosted in Europe data center
• Account Name: <HCP account name>
• Display Name: <Company Name>
• Account User: <P USER ID activated in SCI>
• Password: <Password created for P USER ID in SCI>
3. Select the created Account and click Access Control.
4. Add system mapping for each on-premise target system.
(For SAP ERP system, enter Back-end Type = ABAP System, Protocol = RFC and system
configurations).
5. Select the above system mapping and add function module name as prefix with SIAG.

SAP Cloud Identity Access Governance


18 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

6.3 Maintaining Destinations for HANA Cloud Connector

In the HCP Cockpit, maintain destinations for each target system to enable communication via the
HANA Cloud Connector.

For more information, see SAP HANA Cloud Connector.

SAP Cloud Identity Access Governance


19 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

7 Support Information

For assistance and questions, you can open a BCP ticket under component GRC-IAG.

8 Reference Information

For additional information, see:

• SAP HANA Cloud Platform


• SAP Cloud Identity Service Security Guide
• SAP Cloud Identity Access Governance Security Guide

SAP Cloud Identity Access Governance


20 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.
Administrator Guide: Enablement and Configuration

9 Copyright / Legal Notice

© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE or an SAP affiliate company. The information
contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain proprietary software
components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes
only, without representation or warranty of any kind, and SAP or its affiliated companies shall
not be liable for errors or omissions with respect to the materials. The only warranties for SAP
or SAP affiliate company products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and
other countries. All other product and service names mentioned are the trademarks of their
respective companies.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional


trademark information and notices.

SAP Cloud Identity Access Governance


21 CUSTOMER
© Copyright 2016 SAP SE or an SAP affiliate company.

You might also like