1 Introduction

SAP security and GRC (Governance, Risk & Compliance) are getting more and more important for many of today’s organizations. While traditional systems like HR (Human Resources), ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), SCM (Supply Chain Management) or BW (Business Warehouse) are at the core of fundamental business processes, the move towards SAP S/4HANA, Big Data and cloud solutions of both SAP and other vendors introduces another, either parallel or integrated, pillar of technology.

Ensuring an adequate level of security and compliance for the continuously changing landscape of business systems, SAP and beyond, is of utmost importance. Achieving compliance to legal and regulatory requirements is one essential business driver. Beyond that, more and more organizations understand that providing an adequate level of information security and access control is a key requirement for protecting the organization’s intellectual property and for safeguarding essential business data, e.g. financial data or highly sensitive customer information.

Forward thinking organizations integrate strong security into all of their processes and systems which surely is a unique selling proposition for security-savvy partners and customers. An adequate corporate security strategy (typically defined in an appropriate policy framework) covers a wide range of aspects from Audit and Fraud Management to IAM and Risk and Process Management. At the core of such strategy is adequate protection of business applications and their data.

CSI tools focuses on Access Governance for SAP environments, i.e. the management and control of authorizations, users, roles and profiles. This includes role modelling capabilities and the design and implementation of life cycle and workflow processes, including request approval and recertification. A typical next step is the control of business-oriented processes such as applying SoD (Segregation of Duties) rules or maintaining compliance with the principle of least privilege access.

These aspects remain at the core of what solutions for managing access entitlements and risk in SAP environments must deliver. However, the way this is done is changing. The application landscape is growing beyond traditional SAP ERP systems. The delivery models for any type of solutions that customers expect are changing, driven by “cloud first” strategies and the overall shift away from complex deployments. Thus, simple and rapid deployment and flexible operating models such as as-a-service approaches become a core requirement of customers.

That does not mean that support can be limited to the most modern releases of SAP software. Many customers run mixed environments, where traditional SAP ERP still is used in some parts, while newer version become added to the environment.
Amongst the specific requirements for SAP business applications, there is an apparent shift from a technical focus towards easy-to-use solutions targeted at the business teams. Such solutions must efficiently support in managing the complexities of entitlements, roles, and SoD rules, as well as delivering rapid insight into the current state e.g. via modern dashboards.

The market for GRC solutions, including the ones supporting the management of access controls, for SAP environments is constantly evolving. One of the vendors in this market is CSI tools, a European vendor delivering a suite of solutions for managing access risks in SAP environments.