The final part of any solution is to provide auditing and reporting capabilities for the solution. The extension for SAP environments provides real-time auditing and reporting capabilities for your SAP systems. This allows you to provide automated reports that can prove compliance with the business policies implemented when users are provisioned and granted access to resources.
In order to provide reports that contain value, the solution must be able to correlate each account and identity a user has. Each user account can have one or more identities for the account. For example, in Active Directory a user account is identified by sAMAccountName, DN, userPrincipalName, and an association. In Sentinel™, a user’s identity is tracked through Connectors. There are Connectors for each system. They send the events to a Sentinel Collectors that gather the information. The events for the users are stored in an accounts table in Sentinel. Reports are run against this data.
The problem at this point is that Sentinel is not aware that John Smith in Active Directory is the same account as jsmith in SAP. The Account Tracking feature of the Novell® Compliance Management Platform (CMP) can to track each account and identity.
Account tracking adds a Sentinel driver and an Identity Vault collector to the solution. The Sentinel driver synchronizes all accounts and identities from each system to Sentinel. The information is stored in an identity table. The Sentinel reports and the identity browser display the accounts and identities for each user. The reports also contains a list of all events for the user in each system. This provides a complete picture of what each user is doing in your environment.
The following figure shows how the solution works. Identity Manager provisions accounts for the connected systems and databases. Sentinel tracks each account and identity individually. Account Tracking connects the two features to provided real-time tracking of events for each account and identity.
Figure 6-1 Auditing User Accounts and Identities
The auditing solution for SAP consists of the following components:
SAP XAL Connector: Connects the SAP application with Sentinel.
SAP CCMS Collector: Collects all of the events from the SAP application and parses the data.
SAP Solution Pack: A set of predefined reports to use the parsed data from the SAP CCMS Collector.
Sentinel Driver: Tracks the identities of each user account throughout your environment.
Identity Vault Collector: Correlates the data sent from the Sentinel driver and other collectors to track the users’ accounts.
The following sections explain how to enable auditing for you SAP system, and document use cases for real-world scenarios that use auditing.