Optimize Application Integration by Running Risk Analysis and Remediation for SAP NetWeaver Portal

by Frank Rambo, Director, Regional Implementation Group (RIG) EMEA, SAP GRC (July 2010)

The Web-based environment of SAP NetWeaver Portal provides business users in your organization secure access to a wide array of SAP and non-SAP applications, information, and services, such as SAP ERP, analytics, business intelligence, and document repositories. The diversity of content delivered to your business users through SAP NetWeaver Portal may come with user access-related risks to be analyzed, monitored, and mitigated. Learn how to integrate SAP NetWeaver Portal into SAP BusinessObjects Access Control 5.3 and include it in your risk analysis, risk mitigation.

Categories: SAP NetWeaver Portal, Security

Key Concept

The SAP BusinessObjects Access Control 5.3 software comes with a Java component containing an Enterprise Portal Real-Time-Agent (EPRTA), which you have to deploy on your portal server. The EPRTA provides connectivity between your SAP BusinessObjects Access Control server and your SAP NetWeaver Portal 7.0 Support Package 12 or higher for real-time risk analysis and user provisioning. Portal content is accessed through iViews, which represent the smallest unit of the portal user interface. iViews are granted to portal users and groups via portal roles. In addition, the portal runs on a SAP NetWeaver application server Java, which uses the User Management Engine to store user-related data.

SAP NetWeaver Portal provides unified access to SAP, third-party, and custom or legacy applications. This includes single sign-on (SSO) capabilities and role-based access of your business users to these applications.

The Enterprise Portal Real-Time-Agent (EPRTA) offers the opportunity to include these applications into your risk analysis and risk mitigation. The EPRTA reports on access to iViews and User Management Engine (UME) actions resulting in segregation of duties (SoD) and critical action risks.

For example, if iViews contain SAP applications that are secured via the ABAP authorization concept in your SAP back-end systems, then there is little value in adding a second layer of risk analysis on the iView level in the SAP NetWeaver Portal. Instead, you should include these applications in the risk analysis you run directly against these SAP back-end systems.

In summary, the EPRTA comes with the following business benefits:

Simple integration of a variety of Web-enabled applications into your risk analysis
Risk mitigation for these applications
Simple reporting of access to critical roles in the portal such as roles for super-administrators, user administrators, and content administrators
Real-time reporting using the standard SAP BusinessObjects Access Control reporting capabilities already known to your internal control and security team

I’ll provide some background information on the organization of content in the SAP NetWeaver Portal, which helps in understanding the rest of the article. Then, I’ll focus on the integration of the portal into the Risk Analysis and Remediation (RAR) capability.

Would you like to see the full version of this article?

If you are an electronic license holder to SAP Professional Journal, please click here to log in.

If you would like information about becoming an electronic license holder — and having 24/7 unrestricted access to all articles and content in the SAP Professional Journal online knowledgebase — click here to see the available subscription options.

Or call 1-781-751-8799 to speak directly with a subscription and licensing specialist about customized access for you and your team.

Isn't your SAP implementation worth world-class information support?

Copyright © 2010 Wellesley Information Services. All rights reserved. Email: customer.service@sappro.com.
SAP Professional Journal, 20 Carematrix Drive, Dedham, MA 02026, USA.
Sales and Customer Service: 1-781-751-8799
SAP and the SAP logo are trademarks or registered trademarks of SAP AG in Germany and several other countries.