Building More Effective Access Control Through Business-Centric GRC

Building More Effective Access Control Through Business-Centric GRC

If your SAP roles and rule sets are sound, your access control solution is set up for success

This article is based on a Tech Insights brief by Craig powers, Research Analyst at SAPinsider. The Brief takes a deeper look into what is needed to set an organisation up for success when it comes to access control.

Read a summary of Craig’s findings below or download the full SAPInsider Tech Insights Brief.

SAPInsider’s Tech Insights Brief highlights:
  • Business-centric access control engages business users in the access risk management process to help align access better with business needs.
  • SAP role clean-up and GRC rule set customisation are vital foundational elements to a successful access control solution.
  • Companies can significantly reduce access risk and access over-allocation through greater business involvement in access control.

Companies utilise access control solutions to identify risk within their user base. These solutions and processes are often technical and driven from audit and IT perspectives with very little input from business users who might find the technical GRC language hard to decipher. That’s where the idea of business-centric GRC comes into play for access control—providing the business with easier to understand, less technical language so that they can better interpret the data.

Understanding risk = greater ownership

If business users understand the access risks presented to them, they are more likely to ultimately take ownership of it. And when the business users take ownership of access risk, they can be held accountable.

 However, creating business-centric access control is difficult to do internally. More often than not it requires a solution that speaks to business users, such as Soterion’s Access Risk Manager, which features user-friendly interfaces and business process flows for easy risk remediation and effective access control management. 

Building a solid access control foundation

While it may take the right business-centric GRC solution to get business users invested in access control, it’s a mistake to view the software as a silver bullet.  
First, correcting the SAP role design within SAP must be done to optimise any technology investment. Once the organisation has implemented a good SAP role design, they must then ensure their GRC rule set is customised to align with their unique access and risk requirements.   

If your SAP roles and rule sets are sound, your access control solution is set up for success. The question then becomes: How do you measure success in access control? One way to do this is by gauging how well business users carry out access risk management activities.

The problem is that often business users need to perform certain GRC functions, but they understand very little about GRC itself. They complete the tasks to tick an audit box rather than to address a specific need within the organisation. This is why having business user engagement is so important.

Top 4 access control requirements and strategies

There are a few reasons organisations use an access control solution.

  1. Firstly, they need to ensure that their SAP systems are secure, often driven by internal and external audits. These audits seek to monitor if people are         assigned appropriate access and determine fraud risk associated with improper access.
  2. Companies are also concerned about improving efficiencies of their SAP user provisioning processes and making it easier to manage authorisations. The goal is to get business users to perform compliance tasks and access risk management activities much more efficiently.
  3. Complying with regulations is also a top priority for implementing access control processes and solutions, especially when it comes to data privacy. There is a significant amount of sensitive personal data in SAP. Understanding where that data resides and who has access to it is important—especially when complying with data privacy regulations
  4. Finally, companies see the need to move access risk responsibility away from IT departments to business users. This shift means moving beyond using GRC solutions solely as back-end tools and becoming more business-centric in managing access risk.

To accomplish these objectives, companies should look to streamline provisioning processes and utilise automation to improve efficiencies. One example is to make use of Business Roles.

This is a collection of SAP access from a number of SAP systems. When a Business Role is assigned to an SAP user, all the required access from the various SAP systems (including DEV and QAS) for that user is assigned. This reduces the effort and time taken to assign appropriate access.

Benefits of business-centric access control

There is such a tendency to over-allocate access in SAP. This is either due to SAP users inheriting roles as they move internally, or a user being assigned an SAP role that has 50 transaction codes where the user only needs to use one transaction code (SAP authorisation creep).

 A business-centric GRC solution will ensure compliance tasks such as a User Access review are more effective, and can result in much of the over-allocated access being removed resulting in an SAP authorisation solution that is well-aligned to what the users are doing in the SAP system. This remediation effort will reduce the effort required to carry out any future user access reviews i.e. with a well-aligned solution, the business users will have far fewer user–role relationships to review which can have a significant cost saving to the organisation.

Soterion has seen organisations reduce access risk by as much as 80%, significantly minimising the potential for fraud. One way business-centric access control reduces risk is that business users make informed decisions as to whether their users need specific SAP access or whether it poses too significant a risk to the organisation. This informed decision-making process results in only assigning only appropriate access to the users, which reduces the potential for fraud in the organisation.

What does this mean for you?

Here are three key takeaways to consider when planning your business-centric GRC and access control strategy:

  1. Properly defining your SAP roles and GRC rule sets are essential. 
    If your SAP roles and GRC rule sets aren’t adequately set up and customised to your organisation, it becomes difficult to assign appropriate access. If that’s the case, it doesn’t matter how great your GRC solution is because it won’t correctly assess risk without accurate role and rule set data.
  2. Make access control accessible to business users.
    While many companies rely on IT to carry out access control through GRC software, the business users must carry out proper access risk management processes. Provide business users with user-friendly interfaces and easy-to-understand (read: non-technical) language around necessary risk management. They will be more engaged and more likely to limit access risk effectively.
  3. Go beyond audits when measuring GRC effectiveness. 
    It’s tempting to rely on audits to do the heavy lifting when it comes to measuring the effectiveness of your GRC and access control programs and technologies. However, that’s more of a measurement of the result, not the process. Companies can get ahead of audits by looking at how well business users are performing their access risk management duties along the way.


How can Soterion Help You?

Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.

Feel free to email us on [email protected]. Let us help you take your GRC to the next level.

You may find this interesting