Read the article below or download the PDF

In the early days of SAP (R2), users were granted SAP access using SAP profiles. This later transformed into SAP roles through the Profile Generator (PFCG). To enhance the provisioning process and address the issue of SAP authorisation creep (users gradually being assigned additional access), SAP implemented the ability to assign SAP roles to the HR Organisation Structure. Whenever a user was assigned to an HR position within SAP, they would automatically be assigned the SAP roles associated with that HR position.

SAP Composite Roles were introduced to improve provisioning efficiency by grouping multiple single roles within a data container. When an SAP user is assigned an SAP Composite Role, they gain access to all the individual roles included in the Composite Role.

Over time, the significance of access risk management grew exponentially. The practice of granting SAP access without considering its potential risks became increasingly unsustainable. Consequently, this gave rise to the development and implementation of access control solutions, such as Governance, Risk, and Compliance (GRC) systems.

At first, access control solutions primarily assessed the SAP systems to detect access risk violations and conducted ‘What-If’ simulations to evaluate the potential risks of proposed role allocations. As access control solutions advanced, they incorporated additional features such as User Access Reviews and role provisioning. The introduction of the Business Role concept facilitated role provisioning. A Business Role functions similarly to an SAP Composite Role, serving as a data container for a group of roles (from multiple SAP systems). When a user is assigned a Business Role, they automatically inherit all the roles associated with that specific Business Role.

In most cases, a Business Role provides greater flexibility compared to an SAP Composite Role in access control solutions, allowing for partial assignment. For example, if an accounts payable clerk only needs 80% of the functionalities offered by the ACCOUNTS PAYABLE CLERK Business Role, it can be assigned partially. On the other hand, an SAP Composite Role is less flexible because once it is assigned, all the individual roles associated with it become available to the user. Business Roles can also include roles from multiple SAP systems, where Composite Roles are limited to roles from the one SAP system.

Identity and access management (IAM) solutions were implemented to effectively handle identity management throughout the IT environment and streamline the Joiner-Mover-Leaver procedure. By enabling access provisioning for various systems and solutions, it was anticipated that IAM solutions would overcome previous provisioning difficulties and greatly enhance the efficiency of onboarding and user provisioning. Moreover, IAM solutions also catered for the Business Roles, which surpassed the limitations of access control solution Business Roles restricted to SAP s ystems. IAM solution Business Roles encompass roles from diverse systems, including both SAP and non-SAP platforms.

Utopia? Almost, but not quite.

The integration of access control solutions and IAM solutions has posed significant challenges in practice, hindering organisations from reaping the benefits of a mutually beneficial relationship between risk management and provisioning. Consequently, organisations must decide which solution will handle the overlapping tasks and functions.

Outlined below are some of the functions that can be performed by both access control and IAM solutions:

Selection of the appropriate solution for each function is critical in attaining an organisation’s desired business objectives. Each solution presents its own set of advantages and disadvantages, influenced by factors such as business goals, system and application types, and the number of solutions involved.

For organisations with extensive SAP footprint, effectively managing access risk and maintaining a balance between provisioning efficiencies and access control are paramount. If an IAM solution is chosen to handle overlapping activities, the desired level of access risk management may not be attained. In such cases, utilising the access control solution for provisioning SAP access could yield the desired outcome.

Conversely, if an organisation has a limited SAP footprint and does not require comprehensive SAP access risk analysis, an IAM solution might be sufficient.

The choice of solution depends on the specific needs of the organisation.

Is opting for a hybrid model the right choice?

To achieve a balance between provisioning efficiencies and effective access risk management, one possible approach is to adopt a hybrid model.

For organisations with a significant SAP footprint and a strong focus on access risk management, an access control solution can be implemented to handle all overlapping activities within SAP systems. Simultaneously, an IAM solution can be utilised for all non-SAP systems.

An alternative approach involves utilising the access control solution for designing Business Roles and then replicating them in the IAM solution for provisioning purposes. By defining Business Roles in the access control solution, it becomes possible to leverage historical usage data and access risk information to create suitable Business Roles for specific user groups.

While implementing a hybrid model has certain drawbacks, such as requiring some business users to operate in two separate systems, it can effectively address the organisation’s need for managing SAP access risks while simultaneously improving the efficiency of SAP user provisioning to an acceptable extent.

Conclusion

Every method has its advantages and disadvantages, and there isn’t a single solution that fits every situation perfectly. When deciding, it’s important to take into account your organisation’s requirements, business goals, SAP footprint, and priorities for managing risks.

For optimal decision-making, collaboration between the SAP security and cyber teams is essential. They should engage in discussions and debates for each specific scenario to determine the most suitable solution for the organisation.

A hybrid approach might be the most favourable option, striking a balance between efficient provisioning and effective management of access risks.

Soterion hosts a podcast called ‘SAP Security & GRC’, dedicated to helping organisations on their journey to effective access risk management in SAP.

Soterion’s CEO, Dudley Cartwright covers topics related to SAP security and GRC, providing insights and tips from industry experts as well as his experience over the decades. Episodes are available in audio and video formats and are between 15-40 minutes long. The podcast is available on all major platforms, such as Apple Podcasts, Spotify, Google Podcasts, etc.

Where to find the podcast:

• Visit Soterion’s website and subscribe to receive notifications of new episodes https://soterion.com/podcast/
• Find all the episodes on Soterion’s YouTube channel https://www.youtube.com/channel/UCaFYqhaX0nWTOVgVO8trEUA
• Search “SAP Security & GRC” in your podcast app.

This article is sponsored by Soterion

The post The Evolution of SAP Security, Access Control, and IAM appeared first on InsideSAP Asia.

The podcast features interviews with experts from the SAP community who share their experiences and knowledge on topics such as identity and access management, SAP security controls, audit, and compliance. The discussions are informative, engaging, and accessible to both technical and non-technical listeners, with episodes available in audio and video formats and ranging from 15 to 40 minutes long.

One of the key features of the podcast is its focus on practical tips and solutions for SAP security and compliance. Listeners can expect real-world scenarios and actionable advice on how to address common challenges faced by SAP users.

The podcast is a valuable resource for Governance, Risk, and Compliance practitioners working in the IT or Finance departments of organisations running SAP. Whether you are a security consultant, an IT manager, or a business owner, you will find the podcast to be a valuable resource for improving your SAP security posture.

Listeners can access the podcast on all major platforms such as Apple Podcasts, Spotify, Google Podcasts, and more. To stay up to date with new episodes, visit Soterion’s website to subscribe and receive notifications. Additionally, viewers can watch the episodes on Soterion’s YouTube channel and subscribe to receive notifications of new uploads.

Soterion’s SAP Security & GRC podcast is a must-listen for anyone interested in SAP security and compliance. With its expert guests, practical advice, and insightful discussions, the podcast provides a wealth of information and knowledge that will help you stay ahead of the curve in the fast-evolving world of SAP security.

Take Me to the Podcast

• Visit Soterion’s website and subscribe to receive notifications of new episodes: https://soterion.com/podcast/
• Watch the episodes on Soterion’s YouTube channel and subscribe to receive notifications of new uploads.
• Alternatively click here to find the link to the podcast on your platform of choice or type ‘SAP Security & GRC’ in your Podcast app and follow to receive notifications of new episodes.

This article is sponsored by Soterion

The post Soterion Launches Informative SAP Security and GRC Podcast appeared first on InsideSAP Asia.

But the truth is, mitigating risk was one of Pablo Escobar’s greatest achievements, and the way he operated provides us with some great principles that we can apply to SAP security and access risk management.

Now, I’m in no way glorifying Escobar’s antics, but the fact is that he ran a multi-billion dollar a year industry that had many moving parts – all without the help of the kind of sophisticated technology many of us have access to today. That’s no small feat.

While I’m not suggesting you go out and commit crime, there are some important lessons you can take from Escobar to help manage risk, enhance SAP security and improve access risk management in your organisation.

The three lines of defence for SAP security

Escobar’s greatest fear was to be caught and extradited to the US. So how is it possible that he was the most wanted person in the world for a 10 –15 year period, everyone knew the city where he resided, yet some of the most powerful government agencies could not catch him?

The answer is Escobar was brilliant at managing risk. He not only had a very clear idea what his risks were, but he implemented a strategy better than any organisation today to mitigate those risks.

Escobar appreciated and perfected the three lines of defence. In business or otherwise, you have three lines of defence when it comes to SAP security:

• First line: Operational / Business users
• Second line: Risk / Compliance departments
• Third line: Audit / Assurance departments

Your first line of defence should be your strongest

Escobar implemented an exceptionally effective first line of defence.

In his city of Medellin, he was almost untouchable. He realised the importance of having many eyes and ears on the ground, so there were all walks of life that fed him information when there was any risk. From street kids to grandmothers vending food at street corners, the moment something looked suspicious, Escobar was informed.

If a Westerner arrived at Medellin Airport, it was assumed he was a DEA agent and they would be followed and monitored. When the Columbian army made their move on Escobar, a street vendor noticed many army trucks leaving the barracks and thought that could only be for one reason – and subsequently alerted Escobar.

It could be argued that Escobar’s second line of defence was bribing the police and the army. His third line of defence was possibly his army of assassins. However, it was Escobar’s first line of defence that was his most effective in that it got him out of trouble the most often.

For organisations, this is also true: Your first line of defence should always be your strongest.

An organisation’s first line of defence are usually the employees (super / key users) that have been in the organisation for 15 – 20 years. They understand their area of the business and business processes better than anyone else.

Unfortunately, in most organisations this is typically the weakest line of defence. That’s not because those employees don’t know the risks in their area, it’s because the organisation has not implemented the correct processes and solutions to empower those users to participate in the risk management activities.

Empower your first line of defence with business-centric solutions

If you have employees who have been with your organisation either for many years and/or have an in-depth knowledge of their area of the business as well as a clear understanding of the risks – you are in a good position.

But just having these people available is not enough.

You need to empower them with the right solutions and processes to manage access risk and strengthen SAP security.

All too often organisations end up implementing complex solutions that are too technical for the business users, which result in the solutions being under-utilised or redundant. At best, these technical solutions end up being used as ‘back-end’ solutions by the IT or technical team.

When this happens, you lose your first line of defence.

Be more like Escobar (minus the drugs and deaths)

Escobar implemented a system and process where people on the ground could effectively act as the first line of defence. These first liners were educated on what was deemed a risk for Escobar. When identifying a risk, there was a clear process in which the first liners could use to feed this information through to the relevant people in the organisation. Escobar empowered his first liners to raise the alarm if they noticed anything that posed a risk.

While you may not have the weapons that Escobar had, you do have a powerful weapon in risk management at your disposal – loyal and experienced operational and business users.

By enhancing business buy-in and improving your first line of defence, your organisation will become more risk aware and will be able to identify and respond more rapidly to security threats.

To give your organisation the best chance of fighting risk, you need to equip your users with the right weapons – and one of your best weapons today is a business-friendly GRC solution. By giving your people tools that they not only understand but are also not afraid to use, you empower them to effectively manage your organisation’s risk.

About Soterion

Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post Can Pablo Escobar teach us something about Risk Management? appeared first on InsideSAP Asia.

• SAP Access Risk Simulations (approval / rejection done by line managers)
• User Access Review

Organisations have been asking their business users to review SAP access change requests for quite some time now. However, even with regulations such as SOX / JSOX being in existence for almost 20 years, the requirement to perform a User Access Review is a more recent requirement for many organisations.

In this article, we will take a look at the purpose of a User Access Review and discuss six technical aspects that organisations should consider in order to make the process easier and simpler for the business users.

Why is it Becoming so Important?

The primary driver behind a User Access Review is usually for audit reasons. Many audit regulations such as Sarbanes Oxley (SOX) Act and JSOX require listed organisations to perform a User Access Review on a periodic basis, usually annually.

Before we go any further, let’s remind ourselves of the purposes of the User Access Review:

During the course of a specific year, SAP access change requests will be simulated using an access control solution. Line Managers / Business users will be required to review these proposed changes, with approved requests being applied in SAP.

The function of the User Access Review is to review whether that SAP access is still valid at a later point in time. For example, if a person requests access to Create Purchase Orders (ME21N), if approved, the appropriate role will be assigned to the user. If this assignment was done on 1 January 2020, who is to say that the access is still relevant for that user on 1 January 2021.

The User Access Review, therefore, provides the organisation with an opportunity to re-look at the user’s access to confirm whether it is still relevant and applicable (as the user may have moved to a different job function, or their role may have changed since the role assignment was done). One of the great advantages of a User Access Review is that it limits SAP authorisation creep.

The downside for many organisations is that a User Access Review is done merely to appease audit, and the value of the activity is questionable, especially when you consider the amount of effort required by the business users to carry out a User Access Review.

There is a need to shift the mindset of the business users from it being an audit tick-box exercise to a valuable activity in remediating access risk. The reasons for doing this should not be to appease audit, but rather as a valuable access risk management activity. However, to support this shift in thinking, organisations need to consider several process changes to support the business. It is important for organisations to understand the challenges facing the business users who perform the SAP User Access Review. If the business users find the User Access Review process onerous and/or challenging, they will push back on the process and treat it as a tick-box exercise. The result: The organisation will extract minimal value for the User Access Review.

How do You Facilitate This Shift in Thinking?

Besides garnering senior management support for the User Access Review, it is critical that a number of technical aspects are considered to make the process easier and simpler for the business users. Here are a few considerations:

1. Role Design

Does the organisation’s SAP role design make it difficult for the business users to know what access users have i.e. are SAP roles non-descriptive? Are SAP roles large and contain many transaction codes?

To make the User Access Review process as simple as possible for the business users, ensure that the SAP role design lends itself to making the process easy. Functional role designs typically have more descriptive role names, making it easier for business users to understand what is contained in the SAP roles being reviewed. This will allow the business users to make more informed decisions as to whether the access is appropriate or not for the user.

Updating the role design to be descriptive may in fact require a complete role redesign. As organisation’s move to S4HANA, this could be a great opportunity to re-look at the organisation’s security framework and consider a role redesign that is more business friendly and made simpler, thereby reducing the effort required in a User Access Review.

2. Role Methodology

Unfortunately debating SAP role methodologies is like debating religion and politics. People become familiar with a role methodology and do not fully appreciate any other methodology. Most SAP security administrators understand a derived role methodology and have a limited understanding of a task and value (functional / enabler) role methodology.

A task and value role methodology is where you split your transactional access from your Organisational level access. This results in far fewer roles needing to be created – which also means users are assigned fewer roles. Choosing a role methodology that has fewer role assignments will reduce the effort required by the business users to carry out a User Access Review.

3. Rule Set Customisation and Business Education of Access Risk

Business users performing a User Access Review are likely to pay more attention to those SAP roles assigned to their users that contribute to access risk violations. If the organisation has performed a rule set customisation project, they are likely to have defined a more appropriate and refined rule set.

The access risk rule set project serves as a great tool for educating the business users on the access risks applicable to their area. By having a better understanding of each of the access risks in the rule set, the business users can make more informed decisions during the User Access Review as to whether a risk bearing access for a particular user is acceptable or not.

4. Use a Tool to Facilitate the User Access Review Process

Performing a User Access Review in a spreadsheet often proves challenging. Although the reviewer can see the roles assigned to the users, spreadsheets often do not include usage and risk information. This results in roles being removed from a user that contain transaction codes that are being used by that user i.e. he / she requires that access to carry out their job function. This causes business disruption, and most of the removed access gets assigned back to these users immediately after the User Access Review.

By using a commercial solution for the User Access Review, the business users can make more informed decisions due to having User-Transaction usage and access risk information.

A huge benefit of using a tool to facilitate the User Access Review is that it can be configured to speed up the process. As an example, a User Access Review can be created to only include roles that contribute to access risk, thus reducing the number of role assignments that need to be reviewed. Another example is to create a User Access Review that flags roles previously ‘approved’ so that the focus can be on new assignments since the last review. To get the reviewers to perform a User Access Review well, it is important for the solution to convert the technical SAP role language into a language the business users can understand.

5. Split Reviews

If you make use of SAP Composite or Business Roles, consider splitting the review into a User Access Review and a Role Content Review.

• Role Content Review: A role owner reviews the content of the SAP Composite or Business Role.
• User Access Review: A line manager reviews the role assignments at the SAP Composite or Business Role level. They do not review the underlying SAP single roles – but simply whether the Composite or Business Role is appropriate for the user.

6. Iterative Reviews

Instead of having one large annual User Access Review, where all users access is reviewed, see whether it is possible to split this into smaller iterative reviews in the year. This can be split by:

• Geography: User Access Review done by region.
• Risk Level: User Access Review done by risk level.
• SAP module: User Access Review done by SAP module.

It is important to keep in mind the challenge of certification fatigue. This is where the reviewers complain about the time and effort required to carry out a User Access Review.

How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Soterion’s Periodic Review Manager allows the review to be done at the business process level, making it easier and quicker for the business users to carry out their access risk management activities. This allows the business to make more informed decisions and reduces the time it takes to complete the User Access Review, saving the organisation time and money.

Feel free to email us on info@soterion.com. Let us help you take your GRC to the next level.

This article is sponsored by Soterion

The post SAP User Access Review – Top 6 considerations for a more effective outcome appeared first on InsideSAP Asia.

Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on enhancing better decision making and business accountability.

Since inception in 2011, Soterion has provided customers with a holistic offering; combining business-centric GRC software with expert SAP security consulting services, just the combination organizations need to maximise the value of their GRC investment.

Soterion’s plug-and-play GRC solution is easy to learn, S/4HANA ready and boasts an award-winning user experience. Organizations running SAP can make use of Soterion’s GRC security suite either as an on-premise or a secure cloud offering.

As access risk is business risk, Soterion believes that effective GRC is measured by how well the business users can carry out their access risk management activities. Our business-friendly GRC solution enhances the organisation’s overall risk awareness by empowering business buy-in and accountability of access risk.

Take Your GRC to the Next Level

Feel free to email us on info@soterion.com to discuss your organization’s GRC needs.

Download our corporate profile
Find out more about our solutions

This article is sponsored by Soterion

The post Enhance Your Organization’s Overall Risk Awareness with Business-Centric GRC appeared first on InsideSAP Asia.