Centralizing User Access Management
By Matt Gillespie, Contributing Writer
A global tools and storage company, which generates $14.5B in annual revenue and employs more than 10,000 workers worldwide, found itself at a corporate crossroads. Through various roadmap initiatives, mergers, and acquisitions, the company’s IT environment had become both sprawling and extensive. Maintaining that array of systems and the business operations across them was complex and highly challenging.
The organization had more than one hundred enterprise resource planning (ERP) systems in place globally when it began the journey to optimize the environment in 2017. The long-term plan is to migrate all financial operations to SAP S/4HANA for central finance, with operational activity such as sales, marketing, and logistics remaining on SAP ERP Central Component (SAP ECC) instances. As a requirement for the move to SAP S/4HANA, the company needed to upgrade SAP Access Control, which it undertook as a four-month stand-alone project.
Applying Agile Product Methodology to the Access Control Upgrade
Where the implementation team was generally accustomed to working with a waterfall methodology, it set up the SAP S/4HANA program as a hybrid, with Agile design and build. They encountered some challenges adapting their SAP ECC security design process into Agile. An early lesson learned was that all workstreams need to be included in the sprint process; handoff to the governance, risk and compliance (GRC) team for requirements collection was initially downstream from the sprint closure, creating dependencies outside the Agile process that slowed down progress. Capturing security and configurable controls requirements in the user stories instead created a smoother project flow.
To streamline meeting security requirements, the team added custom fields to Jira, which it was using as a sprint-management tool. This change enabled them to flag user stories that had security requirements and to generate reports based on those flags. Leveraging that information, they were able to identify security requirements within user stories for the current sprint. During weekly meetings, the team ensured that those requirements were addressed before closing the user story, preventing lag to the overall process.
Automating User Provisioning and Certifying Access to Resources
The team needed to update the GRC ruleset for the new and changed functionality in SAP S/4HANA, such as tiles/apps and business partners. To refine the new ruleset, the team benchmarked SAP’s segregation of duties ruleset against the leading practice ruleset from their implementation partner. The company also moved from traditional GUI transactions to a user experience based primarily on SAP Fiori.
The solution uses SAP Access Control business roles to improve the user experience with standardized access to applications and data. Because the team planned to implement business roles after the Hypercare stage for the core solution, they had to set up some simple interim front-end and back-end role mapping in the form of “mini business roles” to ensure uninterrupted access to resources during Hypercare.
The team is working with its implementation partner to create configurable controls that will be loaded into SAP Process Control, providing a more robust and comprehensive version of the automated controls that were already in use in the ECC environment. The process is being refined with involvement from end users to improve validation scripts for the user acceptance testing (UAT) cycle. Robotic process automation is also playing a growing role to reduce costs and improve repeatability.
Progress Along the Company’s SAP S/4HANA Journey
The overall SAP S/4HANA for central finance design approach includes moving to Agile and building future-focused solutions with a minimum of customizations and other technical debt. The SAP Access Control implementation follows that approach to provide centralized user access management. It lays the groundwork for increased automation, including through the planned addition of configurable controls. The project also satisfies a prerequisite for migration to SAP S/4HANA, making it a strategic requirement for the evolution of the company’s ERP environment toward a more cost-effective and sustainable model.
This experience also acts as a proof of concept for the organization to adopt Agile methodology for SAP implementation projects. The project’s success provides experience and credibility among both team members and stakeholders. It cultivated collaboration between the SAP team and the business units, helping keep business needs and user experience at the center of the process. As an early win in the use of Agile, the project also built internal expertise for refining the sprint task pipeline, making it run more smoothly, without bottlenecks or lag.
Takeaways and Lessons Learned
This project demonstrates the viability of upgrading to the later version of SAP Access Control as part of an SAP S/4HANA adoption, while also moving from the SAP traditional GUI to Fiori-based user experiences. Organizations following this path should be aware that the emergency access management capability does not yet extend the unified “firefighter” experience to include Fiori web applications, although providing that functionality is on SAP’s roadmap. In the interim, the company is using a manual workaround based on a ticketing system to manage elevated SAP Fiori access requests.
In addition to meeting a requirement for the adoption of SAP S/4HANA, this upgrade was a crucial step forward for the firm’s adoption of Agile methodology. It functioned as a proof of concept to demonstrate the viability and as an opportunity to refine and improve the team’s Agile process. Based on this experience, the company’s SAP teams intend to extend the use of the Agile approach within future projects.
Going forward, the team is refining the process further, with particular attention to integrating sprints across all workstreams and developing a more iterative design and build process. In that way, the organization has linked the modernization of its infrastructure to that of its processes, a symbiosis that helps power its way forward.