Governing SAP Applications with Cloud Identity Access Governance

Previously, we wrote about Cloud Identity Access Governance (IAG) based on the latest news coming out of a recent SAPinsider event. In this post, we would like to provide an update on the solution and clarify two editions we think are important to understand.

Integrations

There has been renewed focus by SAP to continue to innovate and integrate their suite of enterprise applications. Earlier this year, SAP announced an integration roadmap with a goal to provide “90 percent integrations” across the different SAP products by the end of the year. As of Q3 2020, SAP has announced they are more than 50 percent complete and still expect to achieve the 90 percent target by the end of the year. This is not just important from a business transaction perspective, but is also a priority from a security and access governance perspective as noted by the “consistent security and identity management” milestone (or “suite quality” according to SAP) within their integration roadmap.

This is exciting news, as it begins to close the gap we have seen for years in trying to manage identities across SAP products, monitor cross-system risks and centralize access management. The renewed focus by SAP to focus on integrating their core products is also evident in several recent updates SAP has shared through ASUG and partner updates about Cloud Identity Access Governance (IAG).

Cloud Identity Access Governance – An Update

As a refresher, SAP Cloud Identity Access Governance is SAP’s latest product under the GRC suite of products. It allows companies to enable and extend identity and access management capabilities to on-premise and cloud applications. IAG is built completely in the cloud (multi-tenant design) and includes some unique features not available in the on-premise GRC solution – we will highlight some in a separate blog post. The functionality of Cloud IAG is similar to on-premise Access Control with access governance as the key focus, but with much more emphasis on managing identities. The two products are still very different from a maturity perspective and we likely will not see a full replacement of Access Control for some time, if at all.

There are two different editions of IAG available which tends to be a source of confusion in the marketplace. SAP has referred to the functionality for integrating applications into their GRC suite as the IAG Bridge, but recently updated the name to IAG Integration Edition. The edition most appropriate for a company depends on the business problem that needs to be solved. Here is a quick summary of the two editions:

• Cloud IAG (Standalone): The standalone IAG product offers full functionality and provides all the functionality and integrations available.
  • This can be thought of loosely as SAP Access Control in the cloud
  • Much more emphasis on managing identities across SAP products, both in the cloud and on-premise
  • A good option for organizations with a “cloud first” strategy with regulatory requirements driving the need for additional compliance around application security.
  • The functionality offered with Integration Edition is limited at this time to Access Analysis, Role Design and Access Request
  • Access Control 12.0 is a prerequisite to be able to leverage IAG for integrating to other SAP cloud products into an on-premise GRC system
  • A good option for more complex organizations already leveraging Access Control to support mature governance processes and looking to expand monitoring and governance to cloud systems.

  Highlighting Two Key Integrations

  Integrating with SAP SuccessFactors

  Among all the integration scenarios offered by SAP, integration with SAP SuccessFactors is definitely an area of higher value. For customers using SuccessFactors, integration with IAG would enable them to utilize automated user provisioning, triggered by HR events that take place in SuccessFactors. This is important because it helps in closing the control gaps often found during terminations or as a result of position change, where access may not have been removed or updated in a timely manner, thus increasing the chances of control failures and risk of inappropriate access.

  There are different scenarios over the course of an employee lifecycle, like onboarding, transfers, promotions and retirement, that warrant the need to update employee access and thus result in continuous IT support costs. Integrating these HR driven events with IAG helps streamline the process, reduces dependence on IT support and accelerates the provisioning/deprovisioning processes.

  Integrating with SAP Ariba

  With increasing number of SAP customers going through transformation initiatives and adopting SAP Ariba for their procurement needs, it only makes sense that the governance solutions provided by SAP allow integration with Ariba. IAG not only supports integration with Ariba, but also offers a preconfigured ruleset for cross-application risk analysis between SAP S/4HANA and SAP Ariba. As a result of moving key processes into Ariba, the risk of performing master data maintenance in S/4HANA and procurement tasks in Ariba requires visibility into potential cross system risks.

  Conclusion

  With all that IAG has to offer, it can certainly help companies that are looking for a simplified and centralized access governance solution that is compatible with both on-prem and cloud SAP applications. IAG, being a cloud service offering, is a more attractive solution for customers with a “cloud first” technology strategy with a shorter time to implement. With the increased number of integration scenarios, and out-of-the-box standard rulesets released for key solutions like Ariba and SuccessFactors, SAP wants to ensure that access governance needs of customers adopting SAP’s cloud applications are taken into account.