updated date: 27.Jun.2023
A chatbot service by Open AI has become viral in recent market. Upon opening public community user registration in late November 2022,
the service gained 1 million users in under a week. The high volume of user registration and access even crashed the servers down a few times.
Microsoft saw the huge business potential by large language models, which are quickly becoming an essential platform for people to innovate, apply AI to solve big problems, and imagine what’s possible. Soon after in the middle of January 2023,
Microsoft announced the general availability of OpenAI Service on its cloud platform Azure. This enables enterprise customers to provide Open AI services on their own Azure subscription to their business end users, which have much more reliable SLAs, managed enterprise security, and managed cost control over free community accounts.
As more and more enterprise customers are running their businesses on a
multi-cloud strategy, in this article, we are addressing a scenario where
SAP RISE PCE customers (their SAP workloads are managed by SAP on hyperscaler) have OpenAI enabled on their own Azure subscription. Having said that, w
ith this new service enabled and accessible, new possibilities and ideas will flourish. Thereby, we are proposing a reference architecture for
leveraging SAP solutions to manage the workflow of user access and security.
Fig. 1: Reference architecture for RISE PCE enterprise users accessing Azure OpenAI
Problem Description:
- RISE PCE customers open the registration for OpenAI services in their own Azure subscription, to their enterprise end users.
- From enterprise users' perspective:
- The user access registration & approval process to Azure OpenAI should be unanimous as other business roles application as in their daily work, and also easily accessible.
- The log-on experience to Azure OpenAI service should be seamless, that one unified Single Sign On (SSO) should be enabled. Meaning that they expect to have the same experience as they access their SAP workforce with SSO enabled.
- From RISE PCE customers' IT security team perspective:
- access control workflow management should be automated. This includes business role creation, access application approval, user lifecycle management, risk audition, fraud prevention, .etc.
- provide a seamless unified SSO experience for end users
Solution (major building blocks):
- SAP GRC, SAP Access Control (GRC SAC) is an add-on to SAP NetWeaver (on SAP RISE managed Virtual Machine)
- Business roles (admin, dev/contributor, business user) creation and management
- provides enterprise users with the access application interface (SAP GRC ARM)
- enable IT security team with business role management, user access workflow management (approval, rejection, deletion), and identity lifecycle management (eg. automatically remove access to off-board enterprise users)
- native integration with "SAP Cloud Identity Access Governance on BTP" to provide business roles information
- SAP Cloud Identity Services (SAP CIS on BTP)
- provide unified cloud SSO
- integration with GRC SAC
- integration with Azure AD to provide enterprise user authentications
- Azure Active Dictionary (Azure AD)
- provide authentication for OpenAI services
- Sync user roles from SAP CIS into corresponding AAD user groups (admin, dev/contributor, business user)
User Personas:
- Admin:
- can access SAP GRC ARM to create/delete business roles
- can approve/revert/reject user access applications in SAP GRC ARM
- can add/remove other users, and create/delete user groups in AAD
- full access to Azure OpenAI services including the ability to fine-tune, deploy, and generate text
- Developer/Contributor:
- can access SAP GRC ARM to apply for 'OpenAI Developer/Contributor' business role
- can access Azure Portal
- full access to Azure OpenAI services including the ability to fine-tune, deploy, and generate text
- will access OpenAI services as following scenario:
- request business role in GRC ARM
- business role been assigned
- access through url from client side
- see AAD log-on page
- automatically be navigated to SAP CIS then SSO
- access success
- Business User:
- can access SAP GRC ARM to apply for 'OpenAI Business User' business role
- can view files, models, deployments
- will access OpenAI services as following scenario:
- request business role in GRC ARM
- business role been assigned
- access through url from client side
- see AAD log-on page
- automatically be navigated to SAP CIS then SSO
- access success
Disclaimer:
- RISE customers should governance and manage Azure Open AI service on their own Azure subscription
- SAP does not control the data which flow directly into Azure OpenAI system
- Enterprise users should be aware of the legal concerns and know how to work with the results from Azure OpenAI services
- It is recommended to use publicly accessible data, not corporate production data
- SAP notes that posts about potential uses of generative AI and large language models are merely the individual poster's ideas and opinions, and do not represent SAP's official position or future development roadmap. SAP has no legal obligation or other commitment to pursue any course of business, or develop or release any functionality, mentioned in any post or related content on this website.
Acknowledgment to contributors/reviewers/advisors:
Ke Ma (a.k.a. Mark), Senior Consultant, SAP IES AI CoE / RISE Cloud Advisory RA group
Patrick Heinze, Senior Chatbot Developer, SAP IES AI CoE
Tommaso Nuccio, Security Architect, SAP IES Security
Jeannette Duerr, Security Associate, SAP IES Security
Richard Traut, Cloud Architect & Advisor, RISE Cloud Advisory
Kevin Flanagan, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, EMEA North
Sven Bedorf, Head of Cloud Architecture & Advisory, RISE Cloud Advisory, MEE
Luc DUCOIN, Cloud Architect & Advisor, RISE Cloud Advisory
Extended Reading:
Harmonized Single Sign-On for SAP RISE customers in Multi-Cloud Environment
Join our RISE with SAP community here
S/4HANA Extention through SAP BTP with Azure Open AI, by community sudip.ghosh4