by Pierce Owen, VP, Research & Publishing, SAPinsider About 66% of the SAPinsider Community currently uses SAP Access Control, but 50% of that group still reports user provisioning processes as their biggest GRC pain point, according to SAPinsider’s upcoming research on “GRC for SAP S/4HANA and Cloud Applications.” In the case of Brighthouse Financial, the company improved its user provisioning processes for SAP products with SAP Access Control and then implemented Saviynt’s Identity Governance and Administration (IGA) solution to integrate the processes with non-SAP applications. SAPinsider recently interviewed Hugh Laughlin, Director of SAP Security Technology Solutions at Brighthouse Financial. The Fortune 500 annuities and insurance company is headquartered in Charlotte, North Carolina and has about 1,330 employees. This SAPinsider case study shares how Brighthouse Financial integrated SAP Access Control and Saviynt IGA to shorten user provisioning time.

Manual Access Requests Lack Efficiency

Before integrating Saviynt IGA and SAP Access Control, Brighthouse Financial ran an entirely manual user provisioning process using an access request feature in SharePoint. Users would submit their access request for an SAP system in SharePoint, which would trigger a review by the application teams. A member of the team directly responsible for each application would then manually respond or provision the user. “We found this to not be very efficient, and the roles were not well defined. Also, when a member of the SAP Basis team or our security team needed firefighting access, they would have to go through the same inefficient process, which increased our levels of risk and down-time,” Laughlin says. Metlife, the holding corporation for the Metropolitan Life Insurance Company (MLIC), spun off its U.S. retail business in the form of Brighthouse Financial in March 2017. Brighthouse Financial’s technology team spent much of the following year and a half getting SAP S/4HANA Cloud and SAP BW/4HANA up and running for the new company. Once it finished those implementations, it decided to deploy SAP Access Control in June 2019.

SAP Access Control and IGA Accelerate User Provisioning

Brighthouse Financial first realized the benefits of SAP Access Control 12.0 in the form of elevated access for their security and SAP Basis team members. Today, the company often uses SAP Access Control to set up firefighters and controllers to request elevated access. Recently, Brighthouse Financial performed a major upgrade to SAP S/4HANA that required a significant evolution from the SAP Basis team. Laughlin’s team needed to elevate access for the SAP Basis team to make changes to SAP S/4HANA Cloud, and SAP Access Control empowered them to streamline that process. “We’re doing a good job with elevated access and segregation of duties (SoD) now with SAP Access Control. We’ve integrated several SAP applications with SAP Access Control including SAP S/4HANA Cloud, the HANA database, SAP Master Data Governance, SAP Insurance Analyzer, SAP BusinessObjects BI, SAP Data Services, and SAP BW/4HANA. It’s good for SoD access review management, testing SoDs, and applying mitigating control before granting access to users. Our team implemented SAP Access Control well,” Laughlin says. Brighthouse Financial does a monthly review of SoDs on SAP Access Control that empowers Laughlin’s team to look at risks closely and manage those risks. The company integrates more than 45 applications along with the SAP systems, including Active Directory, SMART by GEP, IBM OpenPages, and BlackLine. Due to the fact that SAP Access Control does not natively govern access for these non-SAP applications, it was decided to implement the Saviynt IGA solution in August 2019. “We found that the Saviynt IGA application had a far wider reach than to just SAP products. We integrated Saviynt IGA with SAP Access Control so that access requests start with Saviynt, and they go through the first level of approvals within the IGA solutions before communicating with SAP Access Control,” Laughlin says. Going from its manual SharePoint process to an automated and integrated process on Saviynt IGA and SAP Access Control shortened the cycle for getting the right access to the right users. “There are always some hiccups along the way when you are integrating these capabilities. It takes diligence to work through those hiccups in collaboration with our IGA team to ensure we have a solid onboarding and termination process,” Laughlin says.

What Does This Mean for the SAPinsider Community?

Based on our research and the interview with Hugh Laughlin, the following considerations can help the SAPinsider Community better manage user provisioning and integrations between SAP and non-SAP products:

• If running non-SAP business applications integrated with SAP products, integrate the user provisioning processes. Companies can only efficiently monitor the risks associated with access to integrated non-SAP applications if they have an integrated process to manage that access. Brighthouse Financial relies on an integration between Saviynt IGA and SAP Access Control to monitor this risk.
• Maintain a consistent end-user experience for access requests. Brighthouse Financial’s access requests start in Saviynt IGA. Forcing users to go through different portals to request access results in inefficiencies.
• Leverage existing investments to maximize ROI for SAP products. If already paying for and running SAP Access Control, try to maximize that investment. Look for ways to extend its capabilities rather than running siloed solutions or replacing SAP Access Control before its end of life.
• Implement firefighting access processes. Every SAP customer will face security or SAP Basis issues at some point. To minimize risk and down-time, have the tools and processes in place to assist firefighters and controllers. Brighthouse Financial does this primarily through SAP Access Control and has already seen the benefits in upgrades to SAP S/4HANA.

Pierce Owen, Vice President of Research & Publishing, SAPinsider, can be reached at Pierce.Owen@wispubs.com.