1 Introduction
SAP security and GRC (Governance, Risk & Compliance) are getting more and more important for many of today’s organizations. While traditional systems like HR (Human Resources), ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), SCM (Supply Chain Management) or BW (Business Warehouse) are at the core of fundamental business processes, the move towards SAP S/4HANA, Big Data and cloud solutions introduces another, either parallel or integrated, pillar of technology.
Ensuring an adequate level of security and compliance for the continuously changing SAP infrastructure system landscape is of utmost importance. Achieving compliance to legal and regulatory requirements is one essential business driver. Beyond that, more and more organizations understand that providing an adequate level of security is a key requirement for protecting the organization’s intellectual property and for safeguarding essential business data, e.g. highly sensitive customer information.
Forward thinking organizations integrate strong security into all of their processes and systems which surely is a unique selling proposition for security-savvy partners and customers. An adequate corporate security strategy (typically defined in an appropriate policy framework) covers a wide range of aspects from Audit and Fraud Management to IAM and Risk and Process Management.
A key element for all such initiatives is delivering Access Governance for SAP environments, i.e. the management and control of authorizations, users, roles and profiles. This includes role modelling capabilities and the design and implementation of life cycle and workflow processes, including request approval and recertification. A typical next step is the control of business-oriented processes such as applying SoD (Segregation of Duties) rules or maintaining compliance with the principle of least privilege access.
These aspects remain at the core of what solutions for managing access entitlements and risk in SAP environments must deliver. However, the way this is done is changing. The application landscape is growing beyond traditional SAP ERP systems. The delivery models for any type of solutions that customers expect are changing, driven by “cloud first” strategies and the overall shift away from complex deployments. Thus, simple and rapid deployment and flexible operating models such as as-a-service approaches become a core requirement of customers.
That does not mean that support can be limited to the most modern releases of SAP software. Many customers run mixed environments, where traditional SAP ERP still is used in some parts, while newer versions become added to the environment.
Amongst the specific requirements for SAP business applications, there is an apparent shift from a technical focus towards easy-to-use solutions targeted at the business teams. Such solutions must efficiently support in managing the complexities of entitlements, roles, and SoD rules, as well as delivering rapid insight into the current state e.g. via modern dashboards.
The market for GRC solutions, including the ones supporting the management of access controls, for SAP environments is constantly evolving. SAP itself, beyond its SAP Access Control offering, now delivers cloud-based solutions, where the SAP Cloud Identity Service supports Identity Lifecycle Management, while SAP Identity Access Governance (SAP Cloud IAG), which is in scope of this document, focuses on the Access Governance capabilities.