Implementing SAP IdM

Challenge

The company wanted to reduce the manual-based workload of maintaining and managing their user information on the new SAP system, as well as to improve the security role administration. The Information Services team was small and, with only one person allocated as Security Administrator dedicated to maintaining user information, the team’s workload was and would continue to be stretched beyond capacity.

In the final stages of preparations for the SAP go-live, it soon became apparent that the system could very quickly become unmanageable if processes were not put in place to manage user information properly.

There were some 2,500 users to administer, all with some form of access to the SAP system across all areas of the organisation, from the warehouse through to HR. With the potential for human error within the manual process, the management team wanted to achieve role-based security access controls with extra HR provisioning based on HR processes.

Marek Prachar, Information Services Manager explains “The major problem we were facing was the scope and volume of the maintenance work that the Security Administrator would have to undertake manually.”

To address these needs, the company was looking to implement an integrated Identity Management solution that incorporated automated HR provisioning and de-provisioning of users.

Solution

The company had already embarked on an SAP implementation. From there, one of the key aims was to simplify and automate SAP user and role provisioning, as well as to meet audit requirements around audit trails and timely deprovisioning of terminated users. Turnkey Consulting was already engaged to design the security and business roles framework for the SAP implementation, and it was therefore a logical extension of their involvement.

A Java-based identity management solution was initially considered, however with cost being the over-arching decision factor they soon settled on the SAP IdM solution which is included as part of the licensing of SAP solutions. This option was also recommended by Turnkey Consulting as a best fit solution for the organisation’s SAP landscape and the specific challenges they were facing.

Prachar says “We were embarking on an SAP implementation so it made sense to incorporate the IdM solution. It was not originally in the scope of the implementation but we quickly realised what we would be faced with during the go-live and the post roll-out if we didn’t have some sort of identity management solution in place.”

Although IdM did not increase the licensing fees of SAP it did increase the implementation costs and subsequent training costs. The team still needed to justify the business case for IdM which Turnkey then helped to prepare. The information services team also had the benefit of previous documentation from 2009 when a Proof of Concept was preliminarily scoped for integrating IdM with the Active Directory; at that time it had been turned down due to being unable to justify the additional licensing costs.

Prachar continues “One of the key challenges that we were potentially facing was to ensure we had an audit trail for the hire, transfer and termination of employees. We were not necessarily aware of the challenge at the time, but it transpired as a benefit when we were first faced with the prospect of an SAP audit or security audit as well as segregation of duties audit. When it comes to Access Controls, this is where IdM really proved to be invaluable. But we had not understood this at the time.”

Benefits 

• Reduced maintenance time: This is now minimal as the system is fully automated. No changes are needed between IdM and the other systems. The additional work is around modifications for user profiles and business roles.
• Re-focused Security Administrator role: There is now more time to focus on designing business roles rather than reacting to day-to-day business changes. The administrator does not have to respond to every request as all these tasks are now automated. 
• Significant labour savings: The time it takes to carry out tasks has been drastically reduced as a result of implementing SAP IdM. Without IdM the team would struggle even with two people fully deployed.
• Accuracy: The provisioning and deprovisioning of business roles is now fully aligned with the HR organisation. 
• Approved audit process and traceability: The auditors are satisfied that nobody could gain access to the SAP system unless they have been properly hired and approved through the IdM approval process. This includes contractors and temporary employees. Prachar adds, “Now it is very easy to trace accountability through employee IDs, and identify when the access was provisioned or de-provisioned. There is no ambiguity.”

Working with Turnkey

Prachar says, “With Turnkey Consulting we worked as a team to prove to the management that these IdM processes would add value. Turnkey really owned our issues because we had a common goal. They knew that they would be ultimately involved in the post go-live support so they understood the amount of work that would be required if we did not have automated provisioning.”

He adds, “Turnkey’s consultants were really professional, eloquent and able to explain the benefits of the system to the users and to HR, enabling us to sell the concept on to the CIO and management team.”

“Ultimately, IdM is an unsung hero of the SAP implementation; nobody talks about it but without it we would have significant issues at go-live and post go-live,” continues Prachar. “We simply would not be able to cope with the initial amount of changes and the initial need for user provisioning that we would have experienced without SAP IdM.”

What’s next?

There’s still a desire to use IdM to provision access to all environments within the organisation’s environment (not just the SAP landscape). The team would like to integrate IdM with Microsoft Active Directory and reach the business with not just SAP access but access to other non-SAP applications.