Read the article below or download the PDF

In the early days of SAP (R2), users were granted SAP access using SAP profiles. This later transformed into SAP roles through the Profile Generator (PFCG). To enhance the provisioning process and address the issue of SAP authorisation creep (users gradually being assigned additional access), SAP implemented the ability to assign SAP roles to the HR Organisation Structure. Whenever a user was assigned to an HR position within SAP, they would automatically be assigned the SAP roles associated with that HR position.

SAP Composite Roles were introduced to improve provisioning efficiency by grouping multiple single roles within a data container. When an SAP user is assigned an SAP Composite Role, they gain access to all the individual roles included in the Composite Role.

Over time, the significance of access risk management grew exponentially. The practice of granting SAP access without considering its potential risks became increasingly unsustainable. Consequently, this gave rise to the development and implementation of access control solutions, such as Governance, Risk, and Compliance (GRC) systems.

At first, access control solutions primarily assessed the SAP systems to detect access risk violations and conducted ‘What-If’ simulations to evaluate the potential risks of proposed role allocations. As access control solutions advanced, they incorporated additional features such as User Access Reviews and role provisioning. The introduction of the Business Role concept facilitated role provisioning. A Business Role functions similarly to an SAP Composite Role, serving as a data container for a group of roles (from multiple SAP systems). When a user is assigned a Business Role, they automatically inherit all the roles associated with that specific Business Role.

In most cases, a Business Role provides greater flexibility compared to an SAP Composite Role in access control solutions, allowing for partial assignment. For example, if an accounts payable clerk only needs 80% of the functionalities offered by the ACCOUNTS PAYABLE CLERK Business Role, it can be assigned partially. On the other hand, an SAP Composite Role is less flexible because once it is assigned, all the individual roles associated with it become available to the user. Business Roles can also include roles from multiple SAP systems, where Composite Roles are limited to roles from the one SAP system.

Identity and access management (IAM) solutions were implemented to effectively handle identity management throughout the IT environment and streamline the Joiner-Mover-Leaver procedure. By enabling access provisioning for various systems and solutions, it was anticipated that IAM solutions would overcome previous provisioning difficulties and greatly enhance the efficiency of onboarding and user provisioning. Moreover, IAM solutions also catered for the Business Roles, which surpassed the limitations of access control solution Business Roles restricted to SAP s ystems. IAM solution Business Roles encompass roles from diverse systems, including both SAP and non-SAP platforms.

Utopia? Almost, but not quite.

The integration of access control solutions and IAM solutions has posed significant challenges in practice, hindering organisations from reaping the benefits of a mutually beneficial relationship between risk management and provisioning. Consequently, organisations must decide which solution will handle the overlapping tasks and functions.

Outlined below are some of the functions that can be performed by both access control and IAM solutions:

Selection of the appropriate solution for each function is critical in attaining an organisation’s desired business objectives. Each solution presents its own set of advantages and disadvantages, influenced by factors such as business goals, system and application types, and the number of solutions involved.

For organisations with extensive SAP footprint, effectively managing access risk and maintaining a balance between provisioning efficiencies and access control are paramount. If an IAM solution is chosen to handle overlapping activities, the desired level of access risk management may not be attained. In such cases, utilising the access control solution for provisioning SAP access could yield the desired outcome.

Conversely, if an organisation has a limited SAP footprint and does not require comprehensive SAP access risk analysis, an IAM solution might be sufficient.

The choice of solution depends on the specific needs of the organisation.

Is opting for a hybrid model the right choice?

To achieve a balance between provisioning efficiencies and effective access risk management, one possible approach is to adopt a hybrid model.

For organisations with a significant SAP footprint and a strong focus on access risk management, an access control solution can be implemented to handle all overlapping activities within SAP systems. Simultaneously, an IAM solution can be utilised for all non-SAP systems.

An alternative approach involves utilising the access control solution for designing Business Roles and then replicating them in the IAM solution for provisioning purposes. By defining Business Roles in the access control solution, it becomes possible to leverage historical usage data and access risk information to create suitable Business Roles for specific user groups.

While implementing a hybrid model has certain drawbacks, such as requiring some business users to operate in two separate systems, it can effectively address the organisation’s need for managing SAP access risks while simultaneously improving the efficiency of SAP user provisioning to an acceptable extent.

Conclusion

Every method has its advantages and disadvantages, and there isn’t a single solution that fits every situation perfectly. When deciding, it’s important to take into account your organisation’s requirements, business goals, SAP footprint, and priorities for managing risks.

For optimal decision-making, collaboration between the SAP security and cyber teams is essential. They should engage in discussions and debates for each specific scenario to determine the most suitable solution for the organisation.

A hybrid approach might be the most favourable option, striking a balance between efficient provisioning and effective management of access risks.

Soterion hosts a podcast called ‘SAP Security & GRC’, dedicated to helping organisations on their journey to effective access risk management in SAP.

Soterion’s CEO, Dudley Cartwright covers topics related to SAP security and GRC, providing insights and tips from industry experts as well as his experience over the decades. Episodes are available in audio and video formats and are between 15-40 minutes long. The podcast is available on all major platforms, such as Apple Podcasts, Spotify, Google Podcasts, etc.

Where to find the podcast:

• Visit Soterion’s website and subscribe to receive notifications of new episodes https://soterion.com/podcast/
• Find all the episodes on Soterion’s YouTube channel https://www.youtube.com/channel/UCaFYqhaX0nWTOVgVO8trEUA
• Search “SAP Security & GRC” in your podcast app.

This article is sponsored by Soterion

The post The Evolution of SAP Security, Access Control, and IAM appeared first on InsideSAP Asia.

For Bridgestone Australia, one of the most well-known tyre manufacturers in the country, dealing with risk is a daily reality. Part of their brand promise is reducing risk for their customers who trust them to manufacture high-quality tyres to keep their families safe on the road.

But when it came to managing financial risk in their SAP system, they faced challenges. With a growing team, maintaining access controls within their SAP system had become time-consuming, inefficient and costly.

High growth and legacy ERP set-up no longer sustainable

Bridgestone Australia has used SAP since 1998 and over the years the volume of users has increased significantly. In 2008 they had a small number of SAP users due to running two systems within the company, namely SAP and iSeries. Due to the volume of users being fairly small, managing segregation of duties was relatively simple.

The turning point came in 2013/14 when all Bridgestone users needed to be migrated to SAP and many new processes were introduced.

With a large number of users and the complexity of the process, the team knew this process needed to move from the existing manual processes to automation.

The search for a commercial solution

Having investigated several options, Bridgestone decided that a custom solution was the way to move forward. Leading the charge for a fit-for-purpose solution was Jess Barnes, Senior Business Analyst in the SAP team at Bridgestone Australia.

Jess understood the complexity required to create a custom program that would handle the needs of the business and the plan was for her to write IT specifications for the program during the first quarter of 2015.

It was then at the Mastering SAP Conference Australia that Jess came across Soterion, and discovered their solution could do everything she needed it to do, presenting the data beautifully, and meeting budgetary requirements.

After three days of training, the Soterion team worked closely with Bridgestone’s infrastructure team to set up a Soterion server to talk to their SAP server. After a proof of concept, in 2016 Bridgestone Australia started using the Soterion solution.

“The tool is very useful to us because it gives us a clear picture and transparency of ourfinancial risk in the business and the team is able to present the stats to the risk committee and executive team providing peace of mind to all.”

– Jess Barnes, Senior Business Analyst

Adjusting the solution makes it more powerful

Although Soterion’s solution can be used out-the-box, there were certain setups that Jess and the Bridgestone team needed to do to customise it to their specific requirements and integrate into the company’s risk and governance control policies.

1. Reviewing the rule set

The first thing the Bridgestone team did was to review the risk level and relevancy of the standard rule set. They decided to create their own Bridgestone rule set so that they could add their own set transactions to the list.

The out-the-box solution shows low, medium, high or critical risk levels. In the system, Bridgestone found that certain risk levels which were marked as ‘high’ they saw as ‘medium’, however, a relevancy checkbox allowed the team to keep oversight of all risks regardless of the levels.

2. Segregation of Duties (SOD)

The second activity the team embarked on was to review all the risks that they have in the business by looking at all their users. They needed to define a mitigating control for each of them, something that the business and auditors would both agree on.

After running the SOD risk details within the Soterion solution, users who had a particular risk were highlighted together with a long description function that defined the risk. The team were then able to record a mitigating control.

Role simulation and user simulation were used on a daily basis. When creating a new role the team could instantly check whether there was any segregation of duties, look into their risk definition details and allocate a mitigating control, ready for audit.

Key lessons from Bridgestone’s implementation

• Once a mitigating control has been decided on, it is a good idea to review it regularly. Bridgestone Australia does this on a yearly basis to ensure their mitigating controls are still relevant.
• When setting up roles, ensure there are no conflicts in the same role. Revoking a role is difficult to do once the role has been set, especially with a large number of users. Setting this up correctly from the very beginning is crucial.
• There is no need to develop a custom solution. Solutions such as Soterion’s GRC software can do everything and more, and brings with it expert knowledge which has been built up over years.

About Soterion

Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post Driving Governance at Bridgestone with Soterion appeared first on InsideSAP Asia.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

• First line: Operational / Business users
• Second line: Risk / Compliance departments
• Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.

About Soterion

Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post Can Pablo Escobar teach us something about Risk Management? appeared first on InsideSAP Asia.

• SAP Access Risk Simulations (approval / rejection done by line managers)
• User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

In this article, we will take a look at the purpose of a User Access Review and discuss six technical aspects that organisations should consider in order to make the process easier and simpler for the business users.

Why is it Becoming so Important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such as Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the User Access Review is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 January 2021.

The User Access Review, therefore, provides the organisation with an opportunity to re-look at the user’s access to confirm whether it is still relevant and applicable (as the user may have moved to a different job function, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that it limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick-box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity. However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

1. Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether a risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool to facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review. To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.

• Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
• User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:

• Geography: User Access Review done by region.
• Risk Level: User Access Review done by risk level.
• SAP module: User Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post SAP User Access Review – Top 6 considerations for a more effective outcome appeared first on InsideSAP Asia.

The vast majority of organisations that have implemented a GRC or access control solution are not seeing the value they should from their GRC investment.

Why is This?

By their nature, GRC solutions are very complex and technical solutions. They have been developed to analyse transaction codes, authorization objects and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for its use by business users.

Generally, the more complex the solution, the less uptake from business users. Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to business resistance. Business users will keep pushing these activities back onto IT, with the end result being that the GRC solution will be used predominantly as a back-end solution by the security and GRC teams, with minimal business involvement.

It is important to note that access risk is business risk. An organisation cannot manage their access risk effectively without significant business involvement. Therefore, organisations need to ensure that they implement a business-centric GRC solution if they are serious about managing their SAP access risk.

What Is Business-Centric GRC?

Business-centric GRC is putting the business user at the centre of the process. It is all about enhancing business-accountability of access risk through a business-first approach to all SAP security and GRC activities.

By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle covering the three lines of defence.

The first line of defence is your business or operational user. The second line of defence is your risk and compliance department, and the third line of defence is the audit and assurance department.

The first line of defence should be the strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else. Yet, this is often the organisation’s weakest line of defence – not because users do not know the risks or the processes involved, but because the current solutions and processes do not lend themselves for the business users to take ownership and become accountable.

As mentioned, to facilitate business buy-in, it is important that the solution is business-centric. Business-centric GRC converts technical GRC language into business-friendly language, allowing the business users to not only understand the risks in their area of responsibility, but also facilitate quicker decision making. More informed and quicker decisions reduce the business downtime of SAP users waiting for SAP access requests to be approved and assigned.

Soterion is a leader in business-centric GRC solutions. All features and functionality has been developed from the perspective of the business user. Soterion also recommends that the access risk management processes are practical for the business users to execute/perform. 

To illustrate this, consider the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. In addition to the effort required by the business to carry out the user access review, it is often the case that the effort does not justify the value of the exercise.

Challenges such as non-descriptive SAP role names make it difficult for the reviewers to know exactly what access/functionality the role users are entitled to. Soterion enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users are able to perform a more effective review that has a desirable business outcome. A review will take far less time and will have a significant cost savings to the organisation.

Enhancing business accountability of access risk with the use of a business-centric GRC solution will improve the organisation’s overall risk awareness and their ability to manage their risk. Every organisation should therefore be looking to improve their first line of defence by embracing elements of business-centric GRC.

For more information, please contact us on info@soterion.com

Soterion SOD Risk Trends Graph

Soterion SOD Risk Detail Business-Friendly Reporting

Soterion SAP Access Change Request Simulation

Soterion Dashboard

This article is sponsored by Soterion

The post Business-Centric GRC – The Future of Effective Access Risk Management appeared first on InsideSAP Asia.