SAP access management is a complex undertaking for businesses. The increasing regulatory pressures on organisations are leading to tighter management of user access rights – which means access management is crucial to business security.
But there are also benefits associated with improving access management that go beyond simply mitigating risk.
Leading IT market research and advisory firm IDC, has outlined some of these benefits, as well as challenges associated with SAP access management, and actions required to drive improvement in access control in a recent IDC Vendor Spotlight, sponsored by Soterion.
Read or download the full IDC Spotlight
Key Takeaway #1: SAP access management is highly complex and is difficult to maintain as business, processes, and regulations change
Managing SAP access rights is highly complex due to the vast array of process and role configurations that organisations can and do utilise within their SAP applications. As organisations evolve and adopt new applications, the burden of managing access rights only increases, leading to increased costs and risks, particularly the chance of audits identifying control weaknesses resulting from SAP access irregularities.
Staying on top of SAP access rights is a challenge due to the vast number of possible access permutations and the rate at which they must be updated to keep up with organisational change. The rate of business transformation and pace of regulatory change will only increase, so organisations must find a way of preventing increased SAP access risk becoming a product of this environment.
Key Takeaway #2: Poor access management can lead to compromised processes that present a business risk and audit failures
Poor access management is most likely to be identified either during a statutory or internal audit, as these audits set out to identify weaknesses in an organisation’s processes that present a risk to the organisation and its various stakeholders, customers, and suppliers.
But, as the IDC Spotlight points out, the cost of poor access management extends beyond the risk of fraud and the cost of remediation. Incorrect access rights can be the root cause of an array of process inefficiencies, where users underutilise the technology available to them as they are unable to fully capitalise on it.
Where SAP users do not have the correct access, businesses can experience downtime (end-user waiting for appropriate access) as assigning new access and getting the necessary approvals from line managers and risk owners can take time. There is also a link between access rights and software licensing. Over-allocated access can lead to paying for more licenses than what is required by the organisation.
Key Takeaway #3: SAP access management is technical in nature, but access decisions are best made by risk owners and line managers
SAP ERP manages access via the transaction code, which is assigned to an SAP role. The SAP role in turn is assigned to the SAP user.
This sounds reasonable and straight-forward, but vast dimensions of typical SAP installations mean that it is not:
- Over 140,000 transaction codes in SAP ECC
- Thousands of users that are not easily aggregated into roles with identical or highly similar access needs
- Often multiple legal or geographic entities with separate SAP installations and separate access management needs
- Frequent changes in access management requirements due to reorganisations, spin-offs, consolidations, changes in business scope, etc.
Despite this technical nature, IDC says this shouldn’t be left to the technical experts alone.
Access management responsibilities must be shared between the IT function and the process owners and managers. Business process owners are best placed to determine the rights required to execute a task within the relevant compliance rules, while managers are best placed to allocate roles to the individuals they manage.
Importantly, these business owners will be able to proactively manage and maintain access rights within their domain, given the right tools. This helps move access management from an annual reactive activity toward being an exercise in continuous compliance.
Empowered business owners will be able to map processes, identify weaknesses, and implement improvements. Understanding precisely how individuals interact with SAP processes enables organisations to apply the principle of least privilege to each member of staff, reducing risk without harming productivity.
Key takeaway #4: SAP access must be managed proactively, and to do this a tool is required to monitor, interpret, and optimise each user’s access as it pertains to their role.
In the IDC Vendor Spotlight, IDC profiles Soterion as an SAP access management solution that helps business managers understand, implement, and monitor access to SAP, reducing risk and improving efficiency.
Here’s what they had to say about Soterion:
“Soterion software tackles the challenge of the changing nature of SAP access rights – with an access management solution that helps business users see how users utilise their access in practice and highlights the business implications of poorly configured access rights.
“The work that Soterion has done to convert technical access rights data into insights that business decision-makers can understand and monitor continuously will help access management become proactive, rather than something to be tackled periodically ahead of an audit.”
IDC highlighted some of the standout features of Soterion’s solutions including its:
“Decisions regarding SAP access are best made by those that understand the business context in which processes and the staff who interact with them operate. Soterion’s tool helps visualise the relationship between access rights and business processes, highlighting weaknesses in a way that managers can quickly comprehend. The power of this tool is that it puts control in the hands of those best placed to make decisions.”
“A key differentiator of Soterion is its reporting capabilities, which illustrates access risks in business process flow diagrams.”
“For business users that are not SAP transaction code experts, it simplifies understanding where in the business process the conflicting access resides. By converting the technical GRC language into a language the business users can understand, can help in making better decisions and making business users more involved and accountable in the process. Ultimately, this can improve the overall capability of the organisation to manage its risk.”
Soterion is an international leading provider of governance, risk, and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure.
Soterion is passionate about simplifying the governance, risk, and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability. Email [email protected] for more information.
Get in touch with one of our SAP security consultants to explore how we can help solve your GRC objectives.
Source: IDC Vendor Spotlight, Sponsored by Soterion, Soterion: Managing Risk and Ensuring Compliance Through Application Access Management, Doc. #EUR148915922, March 2022