I work in a large company, and I'm interested in best practices for internal security standards. We have a large ($500 million +) investment in SAP, and we also have .Net and a bit of Java EE in our internal environment.
我在一家大公司工作,我对内部安全标准的最佳实践感兴趣。我们在SAP上投入了大量(5亿美元以上)的投资,我们的内部环境中也有.Net和一些Java EE。
I've found some documentation from MS and SAP, but it's outdated and not very specific.
我从MS和SAP找到了一些文档,但它已经过时而且不是很具体。
So far, it looks like we could end up using Active Directory as the standard user store for all non-SAP applications, and SAP CUA / Portal for SAP applications.
到目前为止,看起来我们最终可能会使用Active Directory作为所有非SAP应用程序的标准用户存储,以及SAP CUA / Portal for SAP应用程序。
Some concerns I have about AD are:
我对AD的一些担忧是:
-
Being able to aggressively time-out for applications on shared computers (A small number of our applications run in remote offices in rural areas with a limited number of shared machines. In these cases, a supervisor with "power user" privilages could use an application, and then a clerk who should have only basic privaleges could use the same machine immediately after)
能够在共享计算机上积极地暂停应用程序(我们的少数应用程序在农村地区的远程办公室中运行,共享机器数量有限。在这些情况下,具有“超级用户”权限的主管可以使用应用程序,然后一个应该只有基本权限的职员可以在之后立即使用同一台机器)
-
Being able to force the user to enter a username and password instead of just having the credentials read from the user's workstation - Because it's pulling the same credentials for the desktop and email, it won't currently ask users to log in. This is a concern for applications on shared computers as well. (See the explanation in the previous bullet)
能够强制用户输入用户名和密码,而不是仅仅从用户的工作站读取凭据 - 因为它为桌面和电子邮件提取相同的凭据,它当前不会要求用户登录。这是一个关注共享计算机上的应用程序。 (参见上一篇文章中的解释)
As far as synchronization between AD and CUA is concerned, I want to approach this very carefully. We have a limited budget, and I want to make sure that if we end up putting something in place to synchronize the stores, that it's rock sold and provides excellent value. If we can't find something like this, I'd be comfortable coming back with a recommendation that the stores remain independent. SSO would be ideal, but I've worked with trying to get an SSO application up before SAML, and it wasn't pretty.
就AD和CUA之间的同步而言,我想非常仔细地对待它。我们的预算有限,而且我想确保如果我们最终放置一些东西来同步商店,它就是摇滚乐并且提供了极好的价值。如果我们找不到这样的东西,我会很乐意回复建议商店保持独立。 SSO是理想的,但我曾尝试在SAML之前尝试获取SSO应用程序,但它并不漂亮。
Acronyms:
-
SSO: Single Sign-On SAML: Security
SSO:单点登录SAML:安全性
-
Assertion Markup Language
断言标记语言
-
CUA: Central User Administration (For SAP)
CUA:*用户管理(适用于SAP)
3 个解决方案
#1
There is a lot of possibilities on this subject.
这个主题有很多可能性。
We had a customer that updated both their AD and their SAP user list from SAP HR. The idea was that the OM module contained all employees. You could export daily a list of all active employees to the LDAP, with basic informations (firstname, lastname, employeeId, login...). For the SAP system, unit/function/job needing a sap access where tagged and user where created/removed daily.
我们有一位客户从SAP HR更新了他们的AD和SAP用户列表。想法是OM模块包含所有员工。您可以使用基本信息(firstname,lastname,employeeId,login ...)每日将所有活动员工的列表导出到LDAP。对于SAP系统,单元/功能/作业需要标记的sap访问和每天创建/删除的用户。
In fact, all employees had a SAP account, but only those tagged had a "dialog" one. Those account are allowed to connect via SAPGUI, others had to use the portal, which is a less costly licence. A set of rules allowed to set the roles for the managed users. The goal was to minimize user management and limit the inexorable grows of autorisation that comme from moving from job to job an organisation. (this was for 105000 employe, with a lot of personnel movement).
实际上,所有员工都有一个SAP帐户,但只有那些被标记为“对话”的员工才有。允许那些帐户通过SAPGUI连接,其他帐户必须使用门户网站,这是一个成本较低的许可证。允许为托管用户设置角色的一组规则。我们的目标是最大限度地减少用户管理,并限制自动化的不可阻挡的增长,这种增长可以通过组织从一个工作岗位转移到一个工(这是105000名员工,有很多人员流动)。
Thus SAP was not directly linked to the AD, but they where synchronised. Depending on the system (Development, qulity, integration, production), SAP was configured with time-out. You could also have différent password for separate systems.
因此SAP没有直接链接到AD,但它们在同步时。根据系统(开发,质量,集成,生产),SAP配置了超时。对于单独的系统,您也可能有不同的密码。
Of course the reverse is also possible : interrogate a LDAP from SAP to manage SAP's accounts, without beeing directly linked to the LDAP. transaction LDAP can problably give you some informations.
当然,反过来也是可能的:从SAP查询LDAP以管理SAP的帐户,而不直接链接到LDAP。事务LDAP可以概括地给你一些信息。
hope this helps
希望这可以帮助
Edit : the synchronisation was done by an ABAP program. that program was run every day at four, and created/deleted/modifed some accounts in the LDAP. After that, another program added some technical informations to the LDAP entries, informations that where not available to the SAP RH system (such as the mail server to use for a given employee, depending on its location around the world). The entries where then checked for consistency, and send to the master LDAP.
编辑:同步由ABAP程序完成。该程序每天运行四次,并在LDAP中创建/删除/修改了一些帐户。之后,另一个程序向LDAP条目添加了一些技术信息,这些信息是SAP RH系统无法使用的信息(例如,用于给定员工的邮件服务器,具体取决于其在世界各地的位置)。然后检查条目的一致性,并发送到主LDAP。
This program only managed personnel and units. Groups (authorization for others application) where managed either manually, or by others programs. Thus non SAP data were also stored in the LDAP.
该计划仅管理人员和单位。用户或其他程序管理的组(其他应用程序的授权)。因此,非SAP数据也存储在LDAP中。
Regards
#2
Why is it a problem if users don't have to log in? Wouldn't that be more convenient for users? And wouldn't it give them further incentive to log out of the application?
如果用户不必登录,为什么会出现问题?这对用户来说不是更方便吗?它不会给他们进一步激励退出申请吗?
The project I'm working on now uses AD, and we have a mapping table inside of SAP to map AD accounts and SAP accounts. Syncronisation is manual, which may or may not work for you, but there's no real technical risk.
我正在研究的项目现在使用AD,我们在SAP内部有一个映射表来映射AD帐户和SAP帐户。同步是手动的,可能适用于您,也可能不适用,但没有真正的技术风险。
I wish I could give you more information, but I haven't been very involved with that side of things. I can look into it,though.
我希望我能给你更多的信息,但我并没有参与到那方面。不过,我可以调查一下。
#3
You might want to look at OpenSSO - it has agents for SAP and it will integrate with AD as the user store. It's also pretty solid - Verizon use it for 40 million customers to log in to their web site.
您可能希望查看OpenSSO - 它具有SAP代理,它将与AD集成为用户存储。它也非常可靠--Verizon使用它为4000万客户登录他们的网站。
#1
There is a lot of possibilities on this subject.
这个主题有很多可能性。
We had a customer that updated both their AD and their SAP user list from SAP HR. The idea was that the OM module contained all employees. You could export daily a list of all active employees to the LDAP, with basic informations (firstname, lastname, employeeId, login...). For the SAP system, unit/function/job needing a sap access where tagged and user where created/removed daily.
我们有一位客户从SAP HR更新了他们的AD和SAP用户列表。想法是OM模块包含所有员工。您可以使用基本信息(firstname,lastname,employeeId,login ...)每日将所有活动员工的列表导出到LDAP。对于SAP系统,单元/功能/作业需要标记的sap访问和每天创建/删除的用户。
In fact, all employees had a SAP account, but only those tagged had a "dialog" one. Those account are allowed to connect via SAPGUI, others had to use the portal, which is a less costly licence. A set of rules allowed to set the roles for the managed users. The goal was to minimize user management and limit the inexorable grows of autorisation that comme from moving from job to job an organisation. (this was for 105000 employe, with a lot of personnel movement).
实际上,所有员工都有一个SAP帐户,但只有那些被标记为“对话”的员工才有。允许那些帐户通过SAPGUI连接,其他帐户必须使用门户网站,这是一个成本较低的许可证。允许为托管用户设置角色的一组规则。我们的目标是最大限度地减少用户管理,并限制自动化的不可阻挡的增长,这种增长可以通过组织从一个工作岗位转移到一个工(这是105000名员工,有很多人员流动)。
Thus SAP was not directly linked to the AD, but they where synchronised. Depending on the system (Development, qulity, integration, production), SAP was configured with time-out. You could also have différent password for separate systems.
因此SAP没有直接链接到AD,但它们在同步时。根据系统(开发,质量,集成,生产),SAP配置了超时。对于单独的系统,您也可能有不同的密码。
Of course the reverse is also possible : interrogate a LDAP from SAP to manage SAP's accounts, without beeing directly linked to the LDAP. transaction LDAP can problably give you some informations.
当然,反过来也是可能的:从SAP查询LDAP以管理SAP的帐户,而不直接链接到LDAP。事务LDAP可以概括地给你一些信息。
hope this helps
希望这可以帮助
Edit : the synchronisation was done by an ABAP program. that program was run every day at four, and created/deleted/modifed some accounts in the LDAP. After that, another program added some technical informations to the LDAP entries, informations that where not available to the SAP RH system (such as the mail server to use for a given employee, depending on its location around the world). The entries where then checked for consistency, and send to the master LDAP.
编辑:同步由ABAP程序完成。该程序每天运行四次,并在LDAP中创建/删除/修改了一些帐户。之后,另一个程序向LDAP条目添加了一些技术信息,这些信息是SAP RH系统无法使用的信息(例如,用于给定员工的邮件服务器,具体取决于其在世界各地的位置)。然后检查条目的一致性,并发送到主LDAP。
This program only managed personnel and units. Groups (authorization for others application) where managed either manually, or by others programs. Thus non SAP data were also stored in the LDAP.
该计划仅管理人员和单位。用户或其他程序管理的组(其他应用程序的授权)。因此,非SAP数据也存储在LDAP中。
Regards
#2
Why is it a problem if users don't have to log in? Wouldn't that be more convenient for users? And wouldn't it give them further incentive to log out of the application?
如果用户不必登录,为什么会出现问题?这对用户来说不是更方便吗?它不会给他们进一步激励退出申请吗?
The project I'm working on now uses AD, and we have a mapping table inside of SAP to map AD accounts and SAP accounts. Syncronisation is manual, which may or may not work for you, but there's no real technical risk.
我正在研究的项目现在使用AD,我们在SAP内部有一个映射表来映射AD帐户和SAP帐户。同步是手动的,可能适用于您,也可能不适用,但没有真正的技术风险。
I wish I could give you more information, but I haven't been very involved with that side of things. I can look into it,though.
我希望我能给你更多的信息,但我并没有参与到那方面。不过,我可以调查一下。
#3
You might want to look at OpenSSO - it has agents for SAP and it will integrate with AD as the user store. It's also pretty solid - Verizon use it for 40 million customers to log in to their web site.
您可能希望查看OpenSSO - 它具有SAP代理,它将与AD集成为用户存储。它也非常可靠--Verizon使用它为4000万客户登录他们的网站。