.png)
Sabah Electricity Sdn Bhd (SESB) is a national utility service provider that distributes electricity to the Sabah state and Federal Territory of Labuan in Malaysia. It supplies electrical power over a wide geographic area to 400,000+ mainly domestic customers, employing more than 2,300 employees.
“Turnkey’s proactive and collaborative approach to the challenges we faced in our access management contributed significantly to the success ofthis project. This successful partnership helps us to achieve our business goals and mitigate risks going forward."
— Zamri Assah, Senior Executive
SESB was facing several challenges in the delivery of its access control management. End-to-end access provisioning was a manual process, resulting in prolonged lead times for completing requests. As a result, there was a risk of potential errors and violations within roles and responsibilities across the landscape.
A complex SAP environment was contributing to the extended access approval process. Coupled with a backlog of authorisation requests and desynchronisation of access provisioning, relevant owners did not have full visibility of access assignment or its risk status.
The lengthy, manual-based approval procedures were impacting SESB’s need for agility and responsiveness to changing access needs. Simplifying the approval process by streamlining workflows and leveraging tools to facilitate easier access management within the SAP environment could mitigate this challenge.
SESB turned to Turkey Consulting to fully secure its SAP network with the latest end-to-end security and access management solution to streamline and automate access provisioning and the approvals process.
Prior to this project, SESB had been using two modules in the SAP GRC Access Control Suite; Access Risk Analysis to monitor segregation of duties (SoD) and Emergency User Access (EAM) to manage firefighter access for its SAP systems. The software needed upgrading in the first instance so SESB could leverage the latest capabilities and versions. The new solution would also encompass three new modules: Business Role Management (BRM), Access Request Management (ARM) and User Access Review (UAR).
Working alongside SESB’s project partner iByte Solutions, Turnkey worked collaboratively to align services to meet SESB’s exact business requirements and eliminate manual effort going forward, by enabling automated workflows. Turnkey also identified opportunities for improvement and provided valuable insight to SESB to help overcome barriers to effective access management across its complex landscape.
The SoD rule set used by the Access Risk Analysis module for reporting on risk may not have been reviewed since inception and therefore needed to be addressed and updated. It was likely that the checks performed were inadequate and could result in numerous critical IT and business access risks and exploitations across the SAP landscape.
Turnkey gathered the information requirements with each of the business stakeholders in a series of workshops, defining roles and responsibilities. With a good understanding of the business process and how SAP is used to support these processes, Turnkey was then able to identify and assess risk posture and potential violations. The new SoD ruleset, including function descriptions and permission definitions, was then agreed and implemented in the upgraded GRC.
SESB started experiencing the benefits almost immediately, able to identify violations automatically across the entire SAP ecosystem. Reporting has also been improved with the addition of SAP Fiori, providing a user-friendly and intuitive interface targeted mainly for senior executives to access the capabilities of SAP Access Control.
Out of the 2,000+ users on SESB’s SAP system, 100 users currently have access to the GRC environment, made up of mainly requesters and approvers, with this number set to increase as usage grows. The project has effectively transformed SESB’s enterprise-wide access provisioning, considerably reducing lead times and boosting operational efficiency. Comprehensive reporting and dashboards ensure regulatory standards and internal policies are met, and have led to access visibility and transparency. Finally, the automated user access review process implemented through SAP GRC has not only improved user experience but also ensured user authorisations align with their roles and responsibilities, mitigating risk effectively.
“
