Read the article below or download the PDF

In the early days of SAP (R2), users were granted SAP access using SAP profiles. This later transformed into SAP roles through the Profile Generator (PFCG). To enhance the provisioning process and address the issue of SAP authorisation creep (users gradually being assigned additional access), SAP implemented the ability to assign SAP roles to the HR Organisation Structure. Whenever a user was assigned to an HR position within SAP, they would automatically be assigned the SAP roles associated with that HR position.

SAP Composite Roles were introduced to improve provisioning efficiency by grouping multiple single roles within a data container. When an SAP user is assigned an SAP Composite Role, they gain access to all the individual roles included in the Composite Role.

Over time, the significance of access risk management grew exponentially. The practice of granting SAP access without considering its potential risks became increasingly unsustainable. Consequently, this gave rise to the development and implementation of access control solutions, such as Governance, Risk, and Compliance (GRC) systems.

At first, access control solutions primarily assessed the SAP systems to detect access risk violations and conducted ‘What-If’ simulations to evaluate the potential risks of proposed role allocations. As access control solutions advanced, they incorporated additional features such as User Access Reviews and role provisioning. The introduction of the Business Role concept facilitated role provisioning. A Business Role functions similarly to an SAP Composite Role, serving as a data container for a group of roles (from multiple SAP systems). When a user is assigned a Business Role, they automatically inherit all the roles associated with that specific Business Role.

In most cases, a Business Role provides greater flexibility compared to an SAP Composite Role in access control solutions, allowing for partial assignment. For example, if an accounts payable clerk only needs 80% of the functionalities offered by the ACCOUNTS PAYABLE CLERK Business Role, it can be assigned partially. On the other hand, an SAP Composite Role is less flexible because once it is assigned, all the individual roles associated with it become available to the user. Business Roles can also include roles from multiple SAP systems, where Composite Roles are limited to roles from the one SAP system.

Identity and access management (IAM) solutions were implemented to effectively handle identity management throughout the IT environment and streamline the Joiner-Mover-Leaver procedure. By enabling access provisioning for various systems and solutions, it was anticipated that IAM solutions would overcome previous provisioning difficulties and greatly enhance the efficiency of onboarding and user provisioning. Moreover, IAM solutions also catered for the Business Roles, which surpassed the limitations of access control solution Business Roles restricted to SAP s ystems. IAM solution Business Roles encompass roles from diverse systems, including both SAP and non-SAP platforms.

Utopia? Almost, but not quite.

The integration of access control solutions and IAM solutions has posed significant challenges in practice, hindering organisations from reaping the benefits of a mutually beneficial relationship between risk management and provisioning. Consequently, organisations must decide which solution will handle the overlapping tasks and functions.

Outlined below are some of the functions that can be performed by both access control and IAM solutions:

Selection of the appropriate solution for each function is critical in attaining an organisation’s desired business objectives. Each solution presents its own set of advantages and disadvantages, influenced by factors such as business goals, system and application types, and the number of solutions involved.

For organisations with extensive SAP footprint, effectively managing access risk and maintaining a balance between provisioning efficiencies and access control are paramount. If an IAM solution is chosen to handle overlapping activities, the desired level of access risk management may not be attained. In such cases, utilising the access control solution for provisioning SAP access could yield the desired outcome.

Conversely, if an organisation has a limited SAP footprint and does not require comprehensive SAP access risk analysis, an IAM solution might be sufficient.

The choice of solution depends on the specific needs of the organisation.

Is opting for a hybrid model the right choice?

To achieve a balance between provisioning efficiencies and effective access risk management, one possible approach is to adopt a hybrid model.

For organisations with a significant SAP footprint and a strong focus on access risk management, an access control solution can be implemented to handle all overlapping activities within SAP systems. Simultaneously, an IAM solution can be utilised for all non-SAP systems.

An alternative approach involves utilising the access control solution for designing Business Roles and then replicating them in the IAM solution for provisioning purposes. By defining Business Roles in the access control solution, it becomes possible to leverage historical usage data and access risk information to create suitable Business Roles for specific user groups.

While implementing a hybrid model has certain drawbacks, such as requiring some business users to operate in two separate systems, it can effectively address the organisation’s need for managing SAP access risks while simultaneously improving the efficiency of SAP user provisioning to an acceptable extent.

Conclusion

Every method has its advantages and disadvantages, and there isn’t a single solution that fits every situation perfectly. When deciding, it’s important to take into account your organisation’s requirements, business goals, SAP footprint, and priorities for managing risks.

For optimal decision-making, collaboration between the SAP security and cyber teams is essential. They should engage in discussions and debates for each specific scenario to determine the most suitable solution for the organisation.

A hybrid approach might be the most favourable option, striking a balance between efficient provisioning and effective management of access risks.

Soterion hosts a podcast called ‘SAP Security & GRC’, dedicated to helping organisations on their journey to effective access risk management in SAP.

Soterion’s CEO, Dudley Cartwright covers topics related to SAP security and GRC, providing insights and tips from industry experts as well as his experience over the decades. Episodes are available in audio and video formats and are between 15-40 minutes long. The podcast is available on all major platforms, such as Apple Podcasts, Spotify, Google Podcasts, etc.

Where to find the podcast:

• Visit Soterion’s website and subscribe to receive notifications of new episodes https://soterion.com/podcast/
• Find all the episodes on Soterion’s YouTube channel https://www.youtube.com/channel/UCaFYqhaX0nWTOVgVO8trEUA
• Search “SAP Security & GRC” in your podcast app.

This article is sponsored by Soterion

The post The Evolution of SAP Security, Access Control, and IAM appeared first on InsideSAP Asia.

The podcast features interviews with experts from the SAP community who share their experiences and knowledge on topics such as identity and access management, SAP security controls, audit, and compliance. The discussions are informative, engaging, and accessible to both technical and non-technical listeners, with episodes available in audio and video formats and ranging from 15 to 40 minutes long.

One of the key features of the podcast is its focus on practical tips and solutions for SAP security and compliance. Listeners can expect real-world scenarios and actionable advice on how to address common challenges faced by SAP users.

The podcast is a valuable resource for Governance, Risk, and Compliance practitioners working in the IT or Finance departments of organisations running SAP. Whether you are a security consultant, an IT manager, or a business owner, you will find the podcast to be a valuable resource for improving your SAP security posture.

Listeners can access the podcast on all major platforms such as Apple Podcasts, Spotify, Google Podcasts, and more. To stay up to date with new episodes, visit Soterion’s website to subscribe and receive notifications. Additionally, viewers can watch the episodes on Soterion’s YouTube channel and subscribe to receive notifications of new uploads.

Soterion’s SAP Security & GRC podcast is a must-listen for anyone interested in SAP security and compliance. With its expert guests, practical advice, and insightful discussions, the podcast provides a wealth of information and knowledge that will help you stay ahead of the curve in the fast-evolving world of SAP security.

Take Me to the Podcast

• Visit Soterion’s website and subscribe to receive notifications of new episodes: https://soterion.com/podcast/
• Watch the episodes on Soterion’s YouTube channel and subscribe to receive notifications of new uploads.
• Alternatively click here to find the link to the podcast on your platform of choice or type ‘SAP Security & GRC’ in your Podcast app and follow to receive notifications of new episodes.

This article is sponsored by Soterion

The post Soterion Launches Informative SAP Security and GRC Podcast appeared first on InsideSAP Asia.