KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
SAP systems are integral to the IT infrastructure of many organizations, providing essential storage for critical business information and supporting various Line of Business (LoB) applications. Managing access entitlements, roles, and segregation of duties (SoD) is crucial for protecting these systems. The migration to cloud solutions and the growing number of non-SAP business applications necessitate a centralized and integrated approach to access control. Vendors are now focusing on delivering broad support for different deployment models, with a preference for as-a-service models. The core functionalities required include flexible deployment, support for a range of SAP and non-SAP systems, role and entitlement management, SoD controls, and integration capabilities. Advanced features like automated role optimization, hybrid deployment support, and enhanced analytics are also beneficial. The market for access control solutions is expanding to manage increasing demands and diverse system environments. Leaders in the space, such as Pathlock, SailPoint, One Identity, SAP, and Saviynt, provide comprehensive solutions with varying strengths in product, innovation, and market presence.
For many enterprises, SAP systems are an essential part of their corporate IT infrastructure. Critical business information is stored within ERP systems, and the favored source for employee data frequently is the SAP HR system. Business processes are implemented through portal solutions relying on SAP infrastructure. Data is held in SAP HANA; the migration to S/4HANA is ongoing, and highly individualized functionality is coded right into the existing standard SAP modules by using ABAP or Java.
SAP solutions remain an important element of the LoB infrastructure of many organizations but are increasingly complemented by other vendor’s solutions. Managing access entitlements including roles, but also SoD (Segregation of Duties) rules, firefighter access, and other aspects around identity, access, and security is essential for protecting these business-critical applications.
Many critical business systems are following the trend of shifting to the cloud, using either solutions provided by SAP such as SuccessFactors or Ariba, or to other vendors’ solutions. Thus, the scope for centralized access controls is expanding beyond the traditional ABAP systems and even beyond SAP. The requirements for solutions are expanding, either by supporting a broader range of systems or by delivering adequate integration points with other solutions covering, e.g., SaaS applications.
Although there are many other systems in place which also contain critical information, many businesses still rely on the availability of well-designed and well-protected SAP Systems. Traditionally, SAP systems are a major focus area for internal and external auditors. For the successful implementation of adequate controls, it essential that all LoB systems are covered by an effective solution for managing risks, and within that for managing access control and SoD controls and implementing adequate Access Governance.
This is reflected in this Leadership Compass, where deep support for both SAP environments and other vendor’s business applications is in focus. We will also focus on a broader range of supported deployment models, with preference for deployments that include as-a-service models.
In this KuppingerCole Leadership Compass, we analyze solutions that support managing access controls specifically for SAP environments and other vendor’s business applications or LoBs (Line of Business applications). The main focus is on delivering the depth for implementing management and controls across these environments. With the changing landscape of business applications, broader support for implementing controls across all critical business systems has become a focus of our evaluation.
The segment is expanding in two directions:
Deployment models for both the managed services and the solutions is changing, with more SaaS services to manage, and deployment in different ways – as ABAP solution, with SAP Fiori user interface, or separately from SAP as web applications or, becoming the new standard, as SaaS services.
The core of functionality remains in the management of access controls including critical entitlements and SoD conflicts in SAP and other LoB environments. However, solutions frequently also cover additional features such as break-glass access management (firefighter, emergency access), user lifecycle management, role optimization, and more. In this Leadership Compass, we put a strong focus on both the core capabilities and add in features.
The solutions span from solutions targeting SAP core systems to comprehensive suites covering a broad range of capabilities around access control and security for a heterogeneous set of LoB solutions, including SAP solutions.
We did not restrict our analysis in this Leadership Compass regarding the delivery models. There is a broad range of implementation models, from pure-play ABAP solutions to solutions which have a Fiori app added to full SaaS services, while some SaaS services integrate with ABAP modules back to SAP or SaaS services using other types of interfaces to SAP and other LoB applications. Although the trend is towards SaaS solutions, we covered all types of deployment models in this report.
The focus of our rating is on the amount of flexibility available for customers. There are advantages and disadvantages to all approaches. A full integration as an ABAP solution is great for supporting the traditional SAP environments but reaches its limit when supporting other vendor’s SaaS solutions. Although the user interface might be favored by experienced SAP users, many users – including experienced SAP users –prefer a modern user experience.
Fiori or SAP UI5 as user interface is something that someone who is familiar with SAP environments might prefer, while for cross-LoB use cases other interfaces that do not stem from the SAP domain might be more suitable.
Solutions that run separately from SAP environments are better suited for supporting SaaS services and applications beyond SAP solutions. Some of these also excel in user experience, based on modern UIs with high usability.
The delivery model that is best suited to each individual customer’s needs depends on the current and future scope of applications to manage, and the features in focus. However, there is a clear trend away from traditional ABAP, towards modern user experience, supporting the increasingly heterogeneous business application infrastructure, and being delivered as SaaS.
Solutions can run in the SAP ecosystem or outside of it, the latter commonly being deployed as SaaS. They must provide support beyond the SAP ecosystem. The number of vendors that stick to an SAP-only approach has decreased significantly since the previous edition, with the vendors supporting SAP via external interfaces and increasingly adding support for non-SAP LoB solutions.
Due to the variety of capabilities provided by the solutions which are currently available and with respect to the changing environments, there is a broad set of capabilities we are looking for, split into baseline capabilities and advanced capabilities. The baseline capabilities dominate the rating, with other capabilities being additional to this.
The exception is broad support for systems, beyond the traditional SAP Business Suite. The breadth of support for LoB applications beyond the traditional SAP scope has a high impact on our rating, given that we see increasing demands and strategic changes within business system environments.
Baseline capabilities we are looking for:
Advanced capabilities we are interested in seeing as part of these products:
Inclusion criteria:
Exclusion criteria:
We reached out to many vendors in order to provide a comprehensive overview of the current state of the market. Picking the right vendor will always depend on your specific requirements and the current and future landscape that must be managed.
Selecting the vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on standardized criteria and can help identify vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.
Based on our rating, we created the various Leadership ratings. The Overall Leadership rating provides a combined view of the ratings for
Figure 1: Overall Leaders for Access Control Solutions for multi-vendor LoB Environments (graphic only has a vertical axis).
The Overall Leadership shows Pathlock in front, with a comprehensive product portfolio, providing in-depth support for a wide range of LoB applications. Following them is a group of three vendors. SAP benefits from its strong market position in the SAP space, while being weaker when supporting other LoB applications out-of-the-box. However, SAP also provides solutions from Pathlock to expand the capabilities of their own solution. Saviynt is close to SAP, with a focus on governance across a wide range of applications. SailPoint, after the ERP Maestro acquisition, has a strong position with some in-depth LoB support and broad support for several use cases across a wide range of applications. Another Leader is One Identity, with a proven and solid integration to SAP as well as strong capabilities in supporting other applications, even while not always at the same level of depth as for SAP environments.
EmpowerID is the first vendor in the Challenger segment, with strong support for SAP and Microsoft environments and a platform that allows rapid integration of other LoB applications with deep functional support.
The other two vendors, Sivis, and Wikima4, are primarily focused on SAP environments but expanding to support other LoB applications as well. However, their support for multi-vendor environments is still rather limited.
Overall Leaders are (in alphabetical order):
Product Leadership is the first specific category examined below. This view is based on the analysis of service features and the overall capabilities of the various services. Product Leadership is where we examine the functional strength and completeness of services.
Figure 2: Product Leaders for Access Control Tools for multi-vendor LoB Environments.
Due to various acquisitions, Pathlock has a product portfolio in place that is very feature rich. Despite the fact that there is a SaaS and an on-premises version, customers will need to make a decision about which product(s) to use – as with SAP, which offers two products – Pathlock excels with the overall capabilities on offer.
Following Pathlock, we see SailPoint and Saviynt head-to-head. Both build on a combination of specialized Application Risk Management (ARM) capabilities and broader IGA capabilities and continue to improve their solutions.
SAP is next to these vendors, with a strong solution for the SAP environment, but limitations when it comes to supporting a broader range of non-SAP LoB applications.
Two other vendors from the IGA market have made it into the Leaders segment. One Identity and EmpowerID both provide good support for the SAP ecosystem and can extend this to other LoB applications.
The Challenger segment contains three companies that are more focused on the SAP market but provide a certain level of support for other LoB applications and also, in the case of Sivis, for other non-LoB systems. In this section, we find Sivis and Wikima4.
Product Leaders (in alphabetical order):
Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet ever evolving and emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.
Figure 3: Innovation Leaders for Access Control Solutions for multi-vendor LoB Environments.
In the Leaders segment, we find Pathlock on top, with Saviynt being close. Both demonstrate a strong level of innovation in their products. Following them, we find a group of four more vendors, EmpowerID, One Identity, SailPoint, and SAP (in alphabetical order). All four also are strong in innovation.
In the Challenger section, we find Sivis and Wikima4, all with some good innovations in their products. However, these innovations are mostly focused on SAP and less on supporting the broader LoB market.
Innovation Leaders (in alphabetical order):
Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, number of transactions evaluated, ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and financial health of the participating companies. Market Leadership, from our point of view, requires global reach.
Figure 4: Market Leaders for Access Controls Solutions for multi-vendor LoB Environments.
In this analysis, we specifically focus on the market position for supporting a broader range of LoB applications as well as SAP environments, but not on the overall IAM market position of vendors. Thus, vendors that are strong in the specific market for Access Control Solutions for LoB applications score stronger. However, not only the number of customers but also the partner ecosystem and other factors impact this rating.
In the Leaders segment, we find SAP still leading, but Pathlock with their strong position in multi-vendor LoB support, following them closely, having improved from the previous edition of this report by way of their various acquisitions. SailPoint, One Identity, and Saviynt also are rated as Market Leaders. They all have a significant customer base where they also serve.
In the Challengers segment, EmpowerID is on top. Besides them, we find the smaller SAP specialist vendors Sivis and Wikima4 in this segment.
Market Leaders (in alphabetical order):
While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor who are delivering a solution that is both feature-rich and continuously improved, which would be indicated by a strong position in both the Product Leadership ranking and the Innovation Leadership ranking. Therefore, we provide the following analysis that correlates various Leadership categories and delivers an additional level of information and insight.
The first of these correlated views contrasts Product Leadership and Market Leadership.
Figure 5: The Market/Product matrix for Access Control Solutions for multi-vendor LoB Environments.
Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are somewhat “overperformers” when comparing Market Leadership and Product Leadership. All the vendors below the line are underperforming in terms of market share. However, we believe that each has a chance for significant growth.
The correlation between product and market rating is good overall with no major outliers. SAP, not surprisingly, scores strong in the Market Leadership rating due to their significant customer base.
This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a clear correlation between the two views with a few exceptions. The distribution and correlation are tightly constrained to the line, with a significant number of established vendors plus some smaller vendors.
Figure 6: The Product/Innovation matrix for Access Control Tools for multi-vendor LoB Environments.
Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.
Again, this graphic shows a very good correlation.
The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innovation Leaders. This might impose a risk for their future position in the market, depending on how they improve their Innovation Leadership position. On the other hand, vendors which are highly innovative have a good chance for improving their market position. However, there is always a possibility that they might also fail, especially in the case of smaller vendors.
Figure 7: The Innovation/Market matrix for Access Control Tools for multi-vendor LoB Environments.
Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to innovate though having less market share, and thus the biggest potential for improving their market position.
Again, the correlation is very strong overall, with some vendors such as Saviynt or EmpowerID demonstrating an innovative potential that is a good foundation for further expanding their market position.
This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Access Control Tools for SAP Environments. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.
Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1. Since some vendors may have multiple products, these are listed according to the vendor’s name.
Vendor | Security | Functionality | Deployment | Interoperability | Usability |
---|---|---|---|---|---|
EMPOWERID | |||||
ONE IDENTITY | |||||
PATHLOCK | |||||
SAILPOINT | |||||
SAP | |||||
SAVIYNT | |||||
SIVIS | |||||
WIKIMA4 |
Table 1: Comparative overview of the ratings for the product capabilities
In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.
Vendor | Innovativeness | Market Position | Financial Strength | Ecosystem |
---|---|---|---|---|
EMPOWERID | ||||
ONE IDENTITY | ||||
PATHLOCK | ||||
SAILPOINT | ||||
SAP | ||||
SAVIYNT | ||||
SIVIS | ||||
WIKIMA4 |
Table 2: Comparative overview of the ratings for vendors
This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.
In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For the Leadership Compass Access Control Tools for SAP Environments, we look at the following eight categories:
EmpowerID is an established vendor in the IAM space that provides a comprehensive set of solutions. These include access risk analysis, user lifecycle management and provisioning, SoD analysis, critical access management and other capabilities. With their specific capabilities in supporting SAP environments, EmpowerID positions itself also as an alternative to specialized solutions for access controls management in SAP environments.
Being a provider of a generic IAM solution, the approach EmpowerID takes on access control management for SAP environments is different than the one of most of the specialized vendors in this market segment. Everything on the EmpowerID is low-code orchestration between systems and thus factually a workflow. An example of this is the approval policy engine where different policies and the approval flow are mapped. Most customization requires some degree of (low code) coding, but there is also graphical visualization of orchestration and process flows available.
For SAP environments in specific, EmpowerID offers a wide range of connectors. These include approximately 15 connectors for SAB ABAP systems and another five that connect to Java-based solutions, plus connectors for SaaS-based solutions provided by SAP and other LoB applications. The connectors provide a deep integration into SAP environments, down to T-Codes and authorization objects and can gather and control information at all levels.
EmpowerID offers a function mapping/analysis engine that can map functions to entitlements and other objects in order to assign a risk level. While EmpowerID don’t provide their own rule books out-of-the-box, they can extract and analysis in-depth information from SAP environments into their own model, but also can import rule books from SAP Access Control. With this approach, they can convert SAP specific information into a common model which can then be analyzed. Automated mapping and conversion is supported for some environments such as Microsoft Entra Azure Active Directory and the SAP core systems, but requires customization for other applications. The unification approach taken by EmpowerID allows for efficient analysis across systems, based on that unified model. Information about risks can be displayed in dashboards.
EmpowerID comes with a modern UI including dashboards and strong reporting and analytics capabilities, but also the ability for managing access. They offer strong capabilities in user lifecycle management, access risk analysis and access risk management. The weaker spots are the limited Emergency Access Management and the lack of additional capabilities that are specific to SAP environments such as go-live management.
EmpowerID provides strong support for SAP environments and is an alternative where integration of access and risk controls with other solutions, including Microsoft environments, is preferred over a specific solution for SAP and/or other LoB applications.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 3: EmpowerID’s rating
Strengths |
|
Challenges |
|
Figure 8: EmpowerIDs additional ratings
Leader in |
One Identity counts amongst the leading vendors in the IAM space. They have been providing a comprehensive portfolio of IAM solutions since their acquisition of OneLogin, covering IGA, Access Management, PAM (Privileged Access Management) and Active Directory Management. One Identity Manager is their product for IGA that is also targeted at supporting managing access controls and access risks in SAP environments, in integration with IGA support for other systems and applications in the organization. Additionally, their Safeguard PAM solution also can support restricting privileged access to SAP systems, including emergency access scenarios, while not being a SAP-specific “firefighter” solution. Also, One Identity offers SAP-certified solutions for SSO (Single Sign-On) and password encryption to both SAP GUI and NetWeaver implementations.
One Identity Manager comes with strong support for SAP environments. It provides a unified console for managing SAP accounts and privileged access across the enterprise and allows putting all resources under governance by correlating SAP accounts to corporate identity. Based on that, SAP-optimized SoD rules and access reviews can be performed, but also self-service request for all SAP access can be implemented, integrated with other access requests, but also allowing for building SAP-specific workflows and business logic.
One Identity is a certified SAP partner. The integration approach One Identity has chosen is conscious about the specifics of SAP environments. Integration builds on the One Identity BAPI and does not step on SAP internal security. The SAP teams can continue creating profiles, groups, roles etc., while One Identity Manager manages the memberships and delivers access risk analytics and other capabilities. This allows for having a clear and well-defined segregation between SAP teams and IAM teams.
One Identity Manager can analyze access-related information from the SAP environments across all levels. It provides an out-of-the-box integration to SAP Access Control. With that, it can add – with or without SAP Access Control in place – cross-platform support for managing users, entitlements, and SoD rules. The SoD rule checks can be initiated and executed in various places, allowing for a flexible integration between SAP Access Control and One Identity Manager. Rules can be imported and exported bi-directionally between these two environments.
One Identity Manager comes with strong workflow capabilities, dashboards and other features. It provides leading-edge support for Access Governance features such as recertification campaigns.
One Identity Manager, with its good integration into SAP Access Control but also a strong level of direct integration with a wide range of SAP solutions and other LoB systems, is interesting as both a cross-system counterpart to SAP Access Control and a unified solution for managing access entitlements and risks in SAP environments via a strong IGA solution.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 4: One Identity’s rating
Strengths |
|
Challenges |
|
Figure 9: One Identity’s additional ratings
Leader in |
Founded as Greenlight Technologies and providing the well-known Greenlight GRC connectors extending SAP Access Control, Pathlock has acquired Appsian, Security Weaver, CSI Tools, and SAST Solutions in 2022, delivering both a SaaS-based and an on-premises solutions for application GRC, supporting SAP and a wide range of other LoB solutions.
Pathlock focuses on delivering a 360-degree platform for protecting critical business applications, data, and processes. The Pathlock Platform supports more than 140 business applications on-premises and in the cloud. Pathlock focuses on risk mitigation and the automation of controls, reducing the manual effort required for achieving compliance with external and internal regulations and policies. The solutions are delivered in two variants. The strategic product is the SaaS-based Pathlock Platform, running in the public or private cloud. For customers with a stronger set of legacy systems, Pathlock also delivers a set of on-premises solutions. The focus of this report is on the SaaS-based Pathlock Platform.
The core capability areas of the Pathlock Platform are:
The core platform then provides the common services across all functional solutions. These services include the rule engine for creating, managing and enforcing rules, for instance SoD rules or critical entitlement rules. This includes the workflow capabilities to automate request, approval, and review processes, as well as creation and maintenance of audit trails. The platform, an engine for a unified approach on risk metrics, such as the reporting and quantification of SoD violations (the aforementioned ‘did do’ analysis). Pathlock’s simulation engine supports risk assessments for both roles and users prior to provisioning. The platform also captures and reports on user activities (usage tracking).
These technical capabilities are used by a range of functional services, including user access management, role management, emergency access and PAM (Privileged Access Management), and SoD enforcement.
Pathlock is executing on a well-thought-out roadmap and will add a range of further improvements to their platform, including AI-driven controls and application security features.
The Pathlock platform is a leading-edge solution in the access control market for SAP and other LoB applications. While providing leading-edge support for SAP environments, its particular strength stems from the excellent support for a wide range of other LoB applications, thus serving the needs of customers running heterogeneous LoB application environments. Certain SAP-specific capabilities require the deployment of Pathlock Native as an additional solution.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 5: Pathlock’s rating
Strengths |
|
Challenges |
|
Figure 10: Pathlock’s additional ratings
Leader in |
SailPoint Application Risk Management (ARM) is a solution for managing users, their access entitlements, and the related access risk across a range of Line of Business applications, including SAP. SailPoint Application Risk Management delivers in-depth control in these environments. It is part of the broader SailPoint Security Identity Platform which combines a variety of solutions for IGA (Identity Governance & Administration), B2B Identity Risk Management, AI/ML-based analytics and other use cases. The SailPoint IGA solutions add support for cross-system controls across the entire breadth of critical business applications. The recent acquisition of SecZetta adds support for non-employee application risk management.
SailPoint Application Risk Management delivers a series of capabilities, centered around three main areas. Unified Risk Management focuses on delivering comprehensive insights across all types of applications and unifying ARM and SoD management with IGA across various LoB (Line of Business) applications and beyond. Enterprise-wide visibility is closely related to Unified Risk Management but focuses on multi-application SoD controls and risk visibility, as well as cross-application risk simulation ahead of granting access. Compliance and Audit delivers unified access reviews and reporting across the full range of applications complements the proactive parts of SailPoint ARM.
As commonly used for modern solutions, the entry point for users is dashboards, delivered as a pre-defined part of the SaaS solutions. These dashboards allow for a drill-down into details, and they can be filtered and customized. This allows users of various levels, be it more technically oriented application owners, risk managers, or managers, to get the insights they require to understand the risk status and posture for LoB applications and beyond.
For some of the LoB applications such as SAP ECC, there are out-of-the-box rule books with audit-compliant controls, allowing for a quick start in implementing SailPoint Application Risk Management. For access review, SailPoint Application Risk Management supports common review campaigns, but also dashboards for administrators, risk managers, and reviewers showing the status of current review campaigns. Being an Application Risk Management solution focusing on LoB applications, there is also the depth for reviews at various levels, such as roles, transaction codes, or risks, including contextual enrichment features that inform the reviewer of actual usage and a simulated impact on risk should the access in question be removed.
Last but not least, SailPoint Application Risk Management benefits from the analytics capabilities of the SailPoint Identity Platform. It delivers advice for remediations, allows the discovery of risks from various perspectives such as roles, users, or business processes, and immediately identifies SoD conflicts.
Regarding support for other LoB applications, the current focus is on ABAP-based SAP applications and SuccessFactors, plus the SAP S4/HANA environment. Other applications including Oracle EBS (Enterprise Business Suite), Workday, Salesforce, or ServiceNow are on the roadmap. Additionally, the SailPoint Identity Platform provides integration to the full range of other business applications via their native connectors and delivering capabilities, e.g., for user lifecycle management and baseline Application Risk Management, including cross-application SoD controls, to a broad variety of products. We expect to see a significant broader native in-depth support for LoB applications in the SailPoint ARM solution, building on the experience in both IGA and Application Risk Management coming together.
The solution is of specific interest to organizations looking for deeper integration between the management of risks in line of business applications, and between cross-platform IGA solutions.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 6: SailPoint’s rating
Strengths |
|
Challenges |
|
Figure 11: SailPoint’s additional ratings
Leader in |
SAP Access Control is the market-leading solution in the market for access control solutions for SAP environments – which is not a surprise given that it is SAP’s own solution in this market segment. SAP Access Control is complemented and can also be replaced by SAP Identity Access Governance (IAG), which adds support for other SAP SaaS services. Customers currently have the choice between both solutions, with SAP IAG being the solution that is easier to customize and to extend to other platforms.
SAP Access Control comes with strong support for all major features to be expected in that type of solution. It provides support for managing roles and authorization objects, has strong features in SoD management, and provides proven emergency access/firefighter support. SAP Cloud IAG comes with a rather similar set of features but provided in a SaaS deployment model and simpler in configuration and customization. New features include capabilities such as a workflow designer for access requests or the ability for linking request tickets to firefighter log entries for review.
SAP S4 RISE PCE and SAP S4 Public Cloud are supported by Access Control PCE, extra stack and Access Control PCE S4 add-on respectively. SAP has also supported qualification of Pathlock AVM for PCE landscapes. SAP and Pathlock have a joint strategy involving the SAP customer base.The solutions also integrate with SAP Identity Management (also available as PCE solution) for user lifecycle management and with other solutions of the SAP GRC solutions for managing risks. For integration with SAP SaaS solutions such as SuccessFactors, it requires SAP IAG. This might cause the need for upgrading to the latest version of SAP Access Control, which requires customers to operate in a mixed environment of SAP solutions. For SAP IAG, SAP is expanding the range of supported solutions, specifically for a comprehensive support of the various SAP SaaS solutions.
SAP as the undisputed market leader, has the largest partner ecosystem of all vendors in that market segment, providing services in every region globally. This differentiates SAP from many other vendors that are limited to certain regions.
SAP Access Control and SAP IAG as the solutions provided by SAP itself, are a logical option for any shortlist in this market segment. While SAP Access Control counts amongst the more heavyweight solutions, SAP IAG as a SaaS services provides simplified deployment and customization. A major challenge for SAP solutions is their limited support for non-SAP business applications. However, aside of relying on partners such as PathLock (formerly Greenlight GRC), SAP has added additional integration points to SAP Cloud IAG, such as the SCIM (System for Cross-Domain Identity Management) support and an API library for easier integration with other applications. Both SAP solutions can work together seamlessly.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 7: SAP’s rating
Strengths |
|
Challenges |
|
Figure 12: SAP’s additional ratings
Leader in |
Saviynt differs from most other vendors in this market segment because of their focus on delivering security and access governance solutions for a broad variety of systems, including full support for IGA (Identity Governance and Administration). They also provide in-depth support for SAP environments, qualifying them for this analysis. Saviynt provides it solutions as SaaS service, but also allows them to be run in other deployment models.
As a provider of a solution that supports the full breadth of IGA capabilities, Saviynt supports a broad set of target environments. SAP is only one of these. However, Saviynt comes with deep expertise and integration for SAP environments, provided in their specific Saviynt for SAP solutions, with SAP environments being a primary target of Saviynt from the beginning.
Features include pre-defined controls for compliance management, role management and role engineering, and other capabilities. Support is provided for all levels of SAP authorizations and access controls down to transaction codes, i.e., not limited to the high-level business role view most other IGA tools provide. They deliver preventative risk analysis for access provisioning. Saviynt also supports access reviews and can manage temporary, just-in-time (JIT) assignments of entitlements, in contrast to common standing privileges.
Saviynt has improved their workflow capabilities and also supports graphical workflow development. They support the integration of a variety of applications that are commonly used, for instance simplifying access reviews by integrating them into solutions such as Slack, Microsoft Teams, or ServiceNow.
Out-of-the-box rule sets are provided for a range of business applications, including SAP, Oracle, Infor, Epic, and Microsoft Dynamics. Another interesting capability is their support for activity monitoring, allowing to implement a CCM approach, which is based on out-of-the-box controls for a range of regulations where Saviynt delivers up to the minute status information.
Furthermore, Saviynt comes with some advanced capabilities such as the management of SAP licenses and emergency management capabilities supporting both SAP environments and non-SAP environments, based on their privileged access management capabilities. The latter includes comprehensive traceability of firefighter access. However, in contrast to some of the specialized vendors, their support for certain specialized capabilities adding to access control solutions is not their primary focus. Saviynt can address many of these use cases anyway, for instance via reporting.
Saviynt successfully combines two sets of capabilities. On the one hand, they provide strong support for SAP specifics in access control and management. On the other hand, Saviynt is not limited to SAP environments, but delivers services for a broad range of target systems, plus comprehensive IGA capabilities. This allows the creation of a central solution for IGA and business software access control. Saviynt also excels with innovation and a strong, global partner ecosystem.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 8: Saviynt’s rating
Strengths |
|
Challenges |
|
Figure 13: Saviynt’s additional ratings
Leader in |
SIVIS is a German provider of a solution for managing access control and related settings in SAP environments, with their SIVIS Enterprise Security solution. The company delivers an integrated set of capabilities that can be selected by the customer depending on its requirements. SIVIS Enterprise Security runs as a container-based solution in Docker, but still utilizes some components running in the SAP landscape and using the SAP transport system. Additionally, it now contains an IGA solution focused on Microsoft environments, extending support into this domain.
While having been focused on traditional SAP environments, the scope is extending beyond SAP ECC and S/4HANA. Frontends are provided as web applications, including the ones for user self-service. Furthermore, SIVIS just released a cloud connector, which allows integrating SaaS solutions as well. Available integrations include SAP Ariba and Jira, which will be further extended in the future.
Overall, there are close to 20 separate modules which can be used. This includes capabilities such as the Identity Manager for managing user profiles, the Role Manager for role management including a separate module providing more than 1,000 pre-defined roles, the Compliance Manager for SoD management, altogether with pre-defined SoD controls, and many more. They also focus on optimization of entitlements in SAP environments, following a model that in future can be extended to other business applications.
Beyond the common capabilities found in most products in that market such as recertification management, alerting, and emergency access management, there are others such as the Concept Manager for automated documentation of the SAP access entitlement model. SIVIS also provides a license manager for SAP environments.
Furthermore, there are several connectors for integration with other systems for user lifecycle management and analytics, and for integrating further SAP platforms. SIVIS Enterprise Security can work with HR systems and Microsoft Active Directory, and it can connect for instance to SAP BI and HANA. With the new cloud connector, they also can integrate to other SaaS services of both SAP and other vendors. They also provide direct integration to Microsoft Dynamics 365 and Microsoft Active Directory and Microsoft 365 environments. There are additional means of integrations to other services, and standard integrations to various cloud systems such as SuccessFactors, Salesforce, or ServiceNow.
SIVIS currently primarily targets the European market with a good footprint in Germany, Switzerland, and Denmark, but has successfully expanded in the French speaking market over the last two years, partnering with major local SAP Partner and increasing their customer base in this region. They provide a good set of capabilities, and they are opening up from an SAP-only focus towards supporting a broader range of applications. SIVIS also comes with a well-integrated, modular, and easy-to-use solution for SAP environments, providing a strong alternative to other offerings in that market. With their expansion to support Microsoft environments as well, SIVIS strengthened their position as a provider of integrated access control solutions for a broader range of systems.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 9: Sivis’ rating
Strengths |
|
Challenges |
|
Figure 14: Sivis’ additional ratings
Wikima4 is a Swiss-based provider of SAP Security Consulting and offers their own GRC and access control solution for SAP environments. The core module of which Wikima4 has named GRC-in-a-box is Mesaforte Compliance Suite. Together with rolebee for role design and role management, the solution provides support for all core requirements we expect to see in such solutions.
While the solution is offered as an integrated suite, it consists of several separate modules, which can be licensed separately. Wikima4 not only offers generic best practice rule sets and templates, but also industry-specific ones. This allows for more efficient implementation, because the rule sets, controls catalogs, and templates are already targeted at the specific use cases within the industries.
The modules provide capabilities ranging from defining and monitoring compliance and SoD rule sets to automated analysis and monitoring of SAP security settings, usage analysis and license optimization to a range of capabilities around managing users and their access. The latter include role design and optimization as well as temporary access, e.g., for emergency access, and automated entitlement management. Furthermore, there is a module targeting the specific requirements of GDPR (General Data Protection Regulation).
For compliance and SoD management, Wikima4 has a simulation component and a dashboard with drill-down functionality. In advanced risk analysis, the capabilities include a wizard for efficient processing of violations. For the firefighter modules, specific emphasis is on improved forensics for identifying changes made during emergency access.
Recently, the focus has been expanded towards ICS support (Internal Control System) and analytical functions for business users. This includes CCM (Continuous Controls Monitoring) capabilities based on real-time data.
The Wikima4 solutions are tightly integrated into SAP environments and benefit from the consulting practice of the organization, such as with the industry-specific catalogs. The main focus is on traditional, homogeneous SAP environments. This might impose a restriction for customers that run an environment with a heterogeneous set of business applications, or which increasingly build on SaaS services. However, Wikima4 can integrate on demand with further applications, including homegrown applications.
The solution is focused on key requirements of customers, for rapid implementation, not overloaded with specialized capabilities. Wikima4 is primarily focused on the German-speaking countries, with only few customers outside of that region. The partner network is very small. However, Wikima4 offers its own consulting services in their core region, being able to directly serve the customers.
Ratings | Security | |
Functionality | ||
Deployment | ||
Interoperability | ||
Usability |
Table 10: WIkima4’s rating
Strengths |
|
Challenges |
|
Figure 15: Wikima4’s additional ratings
Besides the vendors covered in detail in this document, here are some other vendors in the market that readers should be aware of. These vendors do not fully fit the market definition, but offer a significant contribution to the market space. This may be for their supportive capabilities to the solutions reviewed in this document, for their unique methods of addressing the challenges of this segment, or may be a fast-growing startup that may be a strong competitor in the future.
Fastpath
Fastpath provides a cloud-native platform for managing compliant access control and delivering IGA capabilities for multi-application environments. Fastpath, after the acquisition of Ideiio, comes with a portfolio combining access control for multi-vendor LoB applications with IGA capabilities into a single platform. This makes them an interesting alternative for both the SAP-centric access control market and for organizations that need to manage LoBs provided by multiple vendors. Integrations are provided for a wide range of LoB applications, including SAP, Oracle, Microsoft, Salesforce, and Workday. Additionally, Fastpath provides integrations to various other platforms, IGA systems, and authentication platforms such as Okta and OneLogin.
Why worth watching: Powerful solution with good IGA support and broad support for a variety of LoB applications.
IBM
IBM provides with its cloud-based Security Verify (Identity Governance & Administration) a solution that is primarily targeted at the IAM market. The solutions come with well-above average capabilities in managing SAP environments, including authorization objects, and thus exceeding what is commonly found in that type of tool. With its strong support for heterogeneous environments, it might become an option to specialized solutions, despite not offering the same level of specialization.
Why worth watching: Option if cross-platform IGA capabilities are in focus and some good level of support or access control management for SAP is required.
NTT Managed Services
NTT Managed Services has acquired ControlPanelGRC from Symmetry. The product is an easy-to-use solution covering the major aspects of managing access control and access related GRC requirements in SAP environments. It comes with a modern UI and is well-integrated into the SAP ecosystem. It also can integrate with SAP GRC solutions to complement these. ControlPanelGRC consists of a number of modules, covering the major areas within this market segment. This includes SAP SoD Risk analysis and management of SoD controls, monitoring SAP Transaction Usage and thus adding an element of Continuous Controls Monitoring, plus using such information for SAP license management, and SAP Audit Management. The solution also provides the full breadth of user provisioning and role management capabilities for SAP environments, as well as user access reviews. It also can integrate with SAP HCM in such processes, but also by securing HCM data in compliance with relevant regulations.
Why worth watching: interesting alternative to the solutions in scope of this rating, in particular for customers focusing on SAP ecosystems.
SafePaaS
SafePaas is an established vendor in this market segment, providing good support for both SAP and non-SAP environments. A specific strength is their ability to normalize data from different sources and apply common rule sets. Additional business applications are easy to connect, and the set of out-of-the-box integrations is constantly growing.
Why worth watching: Good support for non-SAP business applications and straightforward approach for adding further integrations.
SecurEnds
Solution for analyzing and monitoring user access and entitlements, supporting capabilities such as user access reviews, access certifications, and entitlement audits for a range of applications, including Workday, PeopleSoft, Oracle, but also certain SAP components. SecurEnds is an interesting alternative specifically for customers where SAP plays a minor role in the environment, but that are focusing on modern SaaS services for delivering their business applications.
Why worth watching: Alternative to the solutions in this Leadership Compass specifically for cross-platform requirements and managing access risks in modern SaaS solutions, but also delivering some level of SAP support.
Leadership Compass Identity Governance & Administration
Leadership Compass Access Governance
Leadership Compass Identity Fabrics
Executive View One Identity Manager SAP Integration
Executive View Pathlock Platform
Executive View SailPoint Identity Security Cloud
Executive View SAP Cloud Identity Access Governance
Executive View Saviynt Enterprise Identity Cloud
Executive View Soterion for SAP
KuppingerCole Leadership Compass is a tool which provides an overview of a particular IT market segment and identifies the leaders within that market segment. It is the compass which assists you in identifying the vendors and products/services in that market which you should consider for product decisions. It should be noted that it is inadequate to pick vendors based only on the information provided within this report.
Customers must always define their specific requirements and analyze in greater detail what they need. This report doesn’t provide any recommendations for picking a vendor for a specific customer scenario. This can be done only based on a more thorough and comprehensive analysis of customer requirements and a more detailed mapping of these requirements to product features, i.e. a complete assessment.
We look at four types of leaders:
For every area, we distinguish between three levels of products:
Our rating is based on a broad range of input and long experience in that market segment. Input consists of experience from KuppingerCole advisory projects, feedback from customers using the products, product documentation, and a questionnaire sent out before creating the KuppingerCole Leadership Compass, and other sources.
KuppingerCole Analysts AG as an analyst company regularly evaluates products/services and vendors. The results are, among other types of publications and services, published in the KuppingerCole Leadership Compass Reports, KuppingerCole Executive Views, KuppingerCole Product Reports, and KuppingerCole Vendor Reports. KuppingerCole uses a standardized rating to provide a quick overview on our perception of the products or vendors. Providing a quick overview of the KuppingerCole rating of products requires an approach combining clarity, accuracy, and completeness of information at a glance.
KuppingerCole uses the following categories to rate products:
Security is primarily a measure of the degree of security within the product/service. This is a key requirement. We look for evidence of a well-defined approach to internal security as well as capabilities to enable its secure use by the customer, including authentication measures, access controls, and use of encryption. The rating includes our assessment of security vulnerabilities, the way the vendor deals with them, and some selected security features of the product/service.
Functionality is a measure of three factors: what the vendor promises to deliver, the state of the art and what KuppingerCole expects vendors to deliver to meet customer requirements. To score well there must be evidence that the product / service delivers on all of these.
Deployment is measured by how easy or difficult it is to deploy and operate the product or service. This considers the degree in which the vendor has integrated the relevant individual technologies or products. It also looks at what is needed to deploy, operate, manage, and discontinue the product / service.
Interoperability refers to the ability of the product / service to work with other vendors’ products, standards, or technologies. It considers the extent to which the product / service supports industry standards as well as widely deployed technologies. We also expect the product to support programmatic access through a well-documented and secure set of APIs.
Usability is a measure of how easy the product / service is to use and to administer. We look for user interfaces that are logically and intuitive as well as a high degree of consistency across user interfaces across the different products / services from the vendor.
We focus on security, functionality, ease of delivery, interoperability, and usability for the following key reasons:
KuppingerCole’s evaluation of products / services from a given vendor considers the degree of product Security, Functionality, Ease of Delivery, Interoperability, and Usability which to be of the highest importance. This is because lack of excellence in any of these areas can result in weak, costly and ineffective IT infrastructure.
We also rate vendors on the following characteristics
Innovativeness is measured as the capability to add technical capabilities in a direction which aligns with the KuppingerCole understanding of the market segment(s). Innovation has no value by itself but needs to provide clear benefits to the customer. However, being innovative is an important factor for trust in vendors, because innovative vendors are more likely to remain leading-edge. Vendors must support technical standardization initiatives. Driving innovation without standardization frequently leads to lock-in scenarios. Thus, active participation in standardization initiatives adds to the positive rating of innovativeness.
Market position measures the position the vendor has in the market or the relevant market segments. This is an average rating over all markets in which a vendor is active. Therefore, being weak in one segment doesn’t lead to a very low overall rating. This factor considers the vendor’s presence in major markets.
Financial strength even while KuppingerCole doesn’t consider size to be a value by itself, financial strength is an important factor for customers when making decisions. In general, publicly available financial information is an important factor therein. Companies which are venture-financed are in general more likely to either fold or become an acquisition target, which present risks to customers considering implementing their products.
Ecosystem is a measure of the support network vendors have in terms of resellers, system integrators, and knowledgeable consultants. It focuses mainly on the partner base of a vendor and the approach the vendor takes to act as a “good citizen” in heterogeneous IT environments.
Again, please note that in KuppingerCole Leadership Compass documents, most of these ratings apply to the specific product and market segment covered in the analysis, not to the overall rating of the vendor.
For vendors and product feature areas, we use a separate rating with five different levels, beyond the Leadership rating in the various categories. These levels are
KuppingerCole tries to include all vendors within a specific market segment in their Leadership Compass documents. The scope of the document is global coverage, including vendors which are only active in regional markets such as Germany, Russia, or the US.
However, there might be vendors which don’t appear in a Leadership Compass document due to various reasons:
The target is providing a comprehensive view of the products in a market segment. KuppingerCole will provide regular updates on their Leadership Compass documents.
We provide a quick overview about vendors not covered and their offerings in chapter Vendors and Market Segments to watch. In that chapter, we also look at some other interesting offerings around the market and in related market segments.
© 2024 KuppingerCole Analysts AG. All rights reserved. Reproducing or distributing this publication in any form is prohibited without prior written permission. The conclusions, recommendations, and predictions in this document reflect KuppingerCole's initial views. As we gather more information and conduct deeper analysis, the positions presented here may undergo refinements or significant changes. KuppingerCole disclaims all warranties regarding the completeness, accuracy, and adequacy of this information. Although KuppingerCole research documents may discuss legal issues related to information security and technology, we do not provide legal services or advice, and our publications should not be used as such. KuppingerCole assumes no liability for errors or inadequacies in the information contained in this document. Any expressed opinion may change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Their use does not imply any affiliation with or endorsement by them.
KuppingerCole Analysts supports IT professionals with exceptional expertise to define IT strategies and make relevant decisions. As a leading analyst firm, KuppingerCole offers firsthand, vendor-neutral information. Our services enable you to make decisions crucial to your business with confidence and security.
Founded in 2004, KuppingerCole is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as technologies enabling Digital Transformation. We assist companies, corporate users, integrators, and software manufacturers to address both tactical and strategic challenges by making better decisions for their business success. Balancing immediate implementation with long-term viability is central to our philosophy.
For further information, please contact clients@kuppingercole.com.