SAP Security and the Provisioning of SAP Access
Key Takeaways
⇨ The evolution of SAP security, access control (GRC), and IAM solutions have led to more efficient provisioning processes and improved access control, but organizations need to choose the right solution for each function to achieve their desired business objectives.
⇨ Seamless integration between access control solutions and IAM solutions has proven challenging, and a hybrid model, using both access control and IAM solutions, may be the best balance between provisioning efficiencies and effective access risk management.
⇨ To make the best decision, it’s important for the SAP security and cyber teams to work together, discussing and debating each use case to select the optimal solution for the organization.
The evolution of SAP security, access control (GRC), and Identity and Access Management (IAM) solutions has led to more efficient provisioning processes and improved access control, but has also presented challenges for organizations. The SAP access control (GRC) solutions evolved from analyzing access risk violations to performing user access reviews and role provisioning. IAM solutions manage identities across IT systems, including SAP and non-SAP, and have a more flexible Business Role concept. However, seamless integration between access control solutions and IAM solutions has proven challenging, requiring organizations to choose the right solution for each function. A hybrid model, using both access control and IAM solutions, may be the best balance between provisioning efficiencies and effective access risk management for organizations with a large SAP footprint.
In the early days of SAP (R2), users were assigned SAP access through SAP profiles. This evolved into SAP roles via the Profile Generator (PFCG). To improve the provisioning process and combat SAP authorisation creep, where users inherit inappropriate access over time, SAP introduced the option to assign SAP roles to the HR Organisation Structure. When a user was moved into an HR position in SAP, they automatically inherited the SAP roles linked to the HR position. SAP Composite Roles were introduced that also enhanced provisioning efficiency. An SAP Composite Role is a data container for a group of single roles. When an SAP user is assigned an SAP Composite Role, they inherit all the single roles contained in the Composite Role.
To learn more about the evolution of SAP security, access control (GRC), and IAM solutions, and the challenges organizations face when choosing the right solution for their needs contact Soterion.
Explore related questions
