Using SAP NetWeaver to implement a new authorization concept based on qualifications and physical connection through RFID.
Cristea, Ana Daniela ; Prostean, Octavian ; Muschalik, Thomas 等
1. INTRODUCTION
The development of the authorization concept we present hereunder was required to offer to a company the possibility to grant to the
employees the authorization to access certain resources (inputs of
machines), according to their abilities. As authentication modality, we
have chosen the RFID cards, because this modality allows the easier
completion of the functionalities with other options (e.g. working and
parking time keeping, access in certain rooms, etc.).
There are many types of access control design patterns that offer
diverse solutions for resource controlled access. We mention here only
some of them: Role Based Access Control pattern (Ferraiolo et al., 2007)
that offers access to resources based on roles, Extended Authorization
pattern (Schumacher et al., 2006), the basis of the majority of the
access control systems, Metadata Based Access Control pattern (Priebe et
al., 2004) based on subjects and objects properties, Session pattern
(Fernandez & Guenther, 2006) based on sessions that implements the
"least privilege" principle and Access Control to Physical
Structures (Fernandez et al., 2007). Because none of the existing
solutions in the control access field satisfies all our requirements, it
was necessary to develop our own solution by combining the main
properties of the specified patters and adding some additional elements.
Therefore, we have created:
1) Qualifications instead of Roles
2) Login and logout sessions where, besides the "least
privilege" principle, we have added new functionalities to ensure
that, in a given moment, an employee is able to serve one single machine
and a machine is served by one single employee
3) Attributes for protected objects and qualifications.
We obtained a flexible, dynamic and easy to manage authorization
concept that allows to unlimitedly increasing the number of machines and
for each machine to unlimitedly increasing the number of inputs.
To implement this concept, we have chosen the SAP NetWeaver
platform. We made this choice because the SAP platform offers certain
advantages, as follows: object oriented programming through ABAP
language, Enterprise Learning, Human Resources, Relational Database,
Portal, Services Oriented Architecture, web interfaces based on MVC (Model View Controller) design pattern and tools for creating
Multilanguage objects without recoding.
We started from creating the component elements of the
authorization concept and their relationships, then we implemented the
classes and methods required to determine the employee's
authorization, we created the Web Service through which it is realized
the communication between the SAP NetWeaver platform and machines, we
created the qualifications, we created the courses catalogue required
for the employees' school classes and realized the portal. To
create the commands to the machines and to take over the information
from these ones, we used PLC (Programmable Logic Controller) SIMATIC
S7-300.
2. HUMAN CAPITAL MANAGEMENT HCM
HCM is the SAP ERP component used for managing all the aspects of
the employee lifecycle (Chaudoir, 2009). This component is one of the
most complex applications of SAP ERP, offering a palette of
functionalities. For the scope of this project, we used Human Resources
HR and Enterprise Learning EL.
2.1 Human Resources
HR has been used to create employees' test data. Each employee
has assigned a unique personal number that represents his identity in
the company (Fig. 1). All the data that are going to be created for an
employee (contact data, education, bank account, payroll, etc.) shall be
linked with this key. This is the reason why the RFID identification
cards have stored on the tags these keys that are going to be read and
sent to the SAP NetWeaver platform to realize the authentication process
followed by the authorization process.
2.2 Enterprise Learning
We used Enterprise Learning to create and manage everything is
related to the learning process, from creating qualifications and
courses, to their management: duration, price, location (classrooms,
E-learning), etc. In Fig. 2 we present the qualifications catalogue
structure, created for our testing machines. QK represents the
qualification group and Q represents the qualification. We have split
the machines set in groups: Feeding101, Reversing_Mill102, etc. Each set
may include any number of machines. For each machine we have created the
following three qualifications: Installer, Operator and Tool_Setter. The
qualifications keys are further used to assign qualifications to the
employees after the learning process completion.
[FIGURE 2 OMITTED]
3. DATABASE
The Application Server ABAP (Keller & Kruger, 2007) offers the
possibility to create the relational database and the required global
data elements. To interconnect the employees' data and
qualifications with the machines served by the employees, it was
required to develop a data base in the ABAP Dictionary. A special
advantage is that we can interconnect the created database with the
relative tables generated by introducing the data about the employees
and the data required by the learning process. In Fig. 3, we show how we
have interconnected the developed database with the data taken over from
HR (through HR Master Record: Infotype 0002 personal data) and EL
(through Infotype 1000 data base table).
4. WEB SERVICE
For the communication between the SAP NetWeaver platform and
machines, we have created a Web Service of inside-out type that has a
Function Module as end point. The input parameters are: Personal number
(read from the RFID card), Machine ID (where the employee wants to
log-in and log-out) and a string that represents the employee's
activity during the login period (optional parameter, null for a login
session). The output parameters are: the name of the employee who
realized the login operation, his telephone number and his right towards
the respective machine, information or warning messages. The right held
by an employee towards a machine shall be sent coded into an integer, to
avoid the overloading of the communication network. We have used, for
the communication security, user and password.
5. WEB BASED APPLICATION AND PORTAL
The Application Server ABAP offered the Web Dynpro ABAP (Hoffman,
2006) to create web applications by using the MVC design pattern and a
WYSIWYG (What You See Is What You Get) view editor. We can create
multi-component applications that can be easily re-used. With its help,
we have created the required application to manage the level of the
interface between the machines and the SAP NetWeaver platform. The
administrator will be able to include the unique keys, afferent to each
employee, in the authorization system. The resulted application has been
integrated in the portal, Fig. 4. To manage the other levels, we have
used the tools offered by the integration platform.
The employees will benefit of portal users, the content available
in the portal being defined through portal roles (RBAC). So, the
employee can participate to E-learning or make a reservation to the
desired courses. Besides these functionalities, we have realized also
other options, e.g. ESS (Employee Self Services).
[FIGURE 3 OMITTED]
6. CONCLUSIONS
In this paper, we have briefly showed how we used the SAP NetWeaver
platform to implement an authorization concept based on qualifications,
qualifications that can be obtained through a learning process. We
emphasized the necessity to develop this concept and the main reasons
that made us choosing the SAP platform. The limits of this concept
belong to the security part. We used IPs limitation along with
"user" and "password" for the communications with
the Web Service. A higher security can be realized by adding new
components, e.g. digital certificates or digital signatures.
7. REFERENCES
Chaudoir, S. (2009). Mastering SAP ERP HCM Organizational
Management, SAP Press, ISBN: 978-1-59229-208-0, Bonn
Fernandez, E. & Guenther, P. (2006). Patterns for session-based
access control, available from: http://epub.uniregensburg.de/6426/
(accessed: 2009-03-10)
Fernandez, E.; Ballesteros, J.; Desouza-Doucet, A. &
Larrondo-Petrie, D. (2007). Security Patterns for Physical Access
Control Systems, in: Data and applications security XXI,
Barker, k. & Ahn, G. (Eds), 259-274, Springer, ISBN:
978-3540735335, Germany
Ferraiolo, F.; Kuhn, R. & Chandramouli. R. (2007). Role--Based
Access Control, Artech House, ISBN: 1-58053-370-1, Boston
Hoffmann, U. (2006). Web Dynpro for ABAP, SAP Press, ISBN:
978-1-59229-078-9, Bonn
Keller, H. & Kruger S. (2004). ABAP Objects ABAP Programming in
SAP NetWeaver, SAP Press, ISBN: 978-1-59229-079-6, Bonn
Priebe, T.; Fernandez, E; Mehlau, J. & Guenther, P. (2004). A
Pattern system for access control, available from:
http://www.secpat.de/fileadmin/user_upload/Publikationen/ PFMP04.pdf
(accessed: 009-01-19)
Schumacher, M.; Fernandez, E. B.; Hybertson, D.; Buschmann, F.
& Sommerland P. (2006). Security patterns integrating Secrity and
Systems Engineering, John Wiley & Sons, ISBN: 0-470-85884-2, Great
Britain
<TABLE INSERT>
Fig. 1. Human Resources--The created test employees
HR, employee's test data
Key
Name Personal number Basic personal data
Hans Maier 00000001 Contact data
Stefan Schmidt 00000002 Gross/net payroll
Mathias Kade 00000003 Net payroll
Elisabeth Esch 00000004 Payroll data
Roland Hobel 00000005 Planning data
... ...
Dr. Lena Lohn 00000016 Time data
Fig. 4. The content of the Portal for the administrator
Web Browser
SAP NetWeaver Portal
SSO Web Dynpro administration application ...
Main Options Some of the Web Dynpro
Search functionalities we have used
Select Adobe technology
Import Select Options--SO
Insert ABAP List Viewer--ALV
Assign Assistance class as model
Delete The reaction to portal events
