Striking a balance between risk, security and business enablement is a constant challenge for any organisation. SAP ERP solutions are typically business-critical to the organisation so ensuring that these critical platforms and their modules are available, accessible and delivering key functions to the organisation, whilst balancing the risks associated to granting access, at all times is imperative to the operation of the company.
SAP environments are often comprised of multiple applications, many of which are customised specifically to the business requirements of each customer.
Access to SAP modules and systems often grows organically, as new functionality is introduced by each phase of implementation, or acquisitions. This can result in a lack of a single, homogenous and job-aligned access strategy across the estate - similar to the challenges in provisioning across the whole IT estate, and what we're trying to solve with enterprise Identity Access Management.
In order to control access to these applications, a complex access hierarchy is required to govern thousands of transaction codes and authorisation objects for multiple role types. This gives people the access that they need to perform their role.
This complexity makes it difficult to enforce consistent access policies to ensure the right users have access to the right resources, eventually leading to gaps in security and compliance. This is where SAP GRC (or other SoD Tooling) helps to balance the fine-grained access hierarchy, with the ability to identify segregation of duty and sensitive access risks, not available to such a detailed level in Identity Access Management (IAM) platforms.
Integrating SAP and GRC systems to an appropriate IAM system solves these issues. IAM systems can automate provisioning, help reduce compliance risk by integrating with SoD tooling and simplify employee changes in the organisation from when they join the organisation, as they move between different roles, and help manage their off-boarding.
However, this integration comes with a few challenges which you need to be aware of:
Data consistency across all SAP systems cannot be taken for granted, especially when dealing with old SAP estates. This can lead to difficulties in data unification.
This is less problematic when SAP HR is in place, however this isn't necessarily integrated across the estate.
User Access Risk
Maintaining the fine-grained risk management and control over user and role access, including the appropriate management of Segregation of Duties and Critical and Sensitive risk, requires the right set of skills and an understanding of the least privileged role concepts. This needs to be maintained whilst also balancing the needs for the user community to perform tasks related to their day job.
Implementing the integration between SAP systems and the IAM solution requires a range of skills and some knowledge about the architecture of the solutions involved. It also requires knowledge of the business processes, and the associated risks, in order to be able to interpret the risk output in context of the jobs being provisioned.
Keeping consistency between SAP and IAM user experience can impact the success on the processing that happens behind the UIs.
Meeting Business Goals
Choosing the right IAM product can be challenging. This needs to offer the flexibility to meet the business goals of the SAP systems, as any delay or complexity in the delivery of the integration will impact the ability to realise the benefits to the SAP application(s) to help you meet your strategic business goals.