GRC essentials for SAP Customers

The importance of a solid foundation

Many organisations running SAP are either in project mode on their journey to S/4HANA or in the planning phases of their S/4HANA project. Most organisations have identified this journey as a unique opportunity to strengthen their SAP security. Thoughts intuitively turn to GRC and IAM tools to achieve this. Without addressing the underlying issues of the SAP role design, GRC and IAM tools will not deliver the expected results and leave the organisation disappointed.

Many organisations have outdated role designs that provide users with inappropriate access required for their job functions. These organisations mistakenly assume SAP security can be solved solely with products and tools e.g. Access Control or Identity Access Management solutions. These will help, but the capability of these tools are significantly diminished if the underlying SAP role design is outdated and/or inappropriate. Your organisation won’t derive the expected value from these investments due to this poor underlying SAP role design. The SAP role design forms the foundation of all things GRC and IAM.

Effective GRC Pyramid

Let’s consider the impact of inappropriate SAP role design, which provides users with far too much access, on both GRC and IAM tools.

1. Access Control solution
The Access Control solution highlights many access risk violations that business users reviewing the risks don’t know where to start. Business users may start approving every SAP access change request without placing much value on the results, due to the volume of risk violations. In short, the capability of the access risk solution is diminished.

2. Identity Access Management solution
The Identity Access Management solution brings about efficiencies in the joiner, leaver and mover processes. However, it will be assigning inappropriate access which results in a very high access risk count. This is far from ideal and counter-productive to their S/4 strategy, particularly as these organisations are placing more emphasis on security.

So, what does all this mean practically? If you’re a GRC practitioner wanting to leverage your organisation’s S/4HANA journey to bolster your security, and you suspect your underlying SAP role design is outdated, what should you do to address this? You have two options for addressing an inappropriate SAP role design: either an SAP role clean-up or an SAP role redesign. Let’s explain this in a bit more detail.

SAP Role Clean-up

An SAP role clean-up is usually possible where the underlying SAP role design is still in relatively good shape i.e. the SAP single roles are well built.

However, the challenge is that these roles have been over-allocated over the years due to SAP authorisation creep. You may find that there are a small number of roles that require content changes (role splits, etc.).

An SAP role clean-up is usually preferred by organisations as it is a quicker and less expensive project. An additional benefit is that it is less disruptive on the business, with fewer end-users testing and fewer authorisation issues than a redesign project.

SAP Role Redesign

A role redesign is recommended when the effort to clean-up the SAP solution is greater than the effort to perform a role redesign. In other words, the SAP solution has deteriorated past the point of no return.

An SAP role redesign is typically a longer, more costly engagement than a role clean-up, and entails greater levels of business involvement and disruption. However, there are several significant benefits to an SAP role redesign.

Firstly, if your organisation has not performed a role redesign for several years, the control requirements of the organisation may have changed over time. For example, Movement Types or Warehouse Numbers may not have been important ten years ago. However, with a role redesign, these new control elements can be introduced.

SAP has introduced several new control authorisations through the years. For example, controlling table access at a more granular level by table name (S_TABU_NAM) versus a wider level of authorisation groups (S_TABU_DIS). Many of the new data privacy regulations are affecting organisations. As a result, more granular control is required which can be achieved through a role redesign project. Data privacy by design is central to most of the data privacy regulations. Implementing this with a role redesign is likely to be easier than as part of a role clean-up project.

In summary, central to any secure SAP environment is a good SAP role design. It forms the backbone of all things GRC. If your organisation does not see the value in addressing the underlying SAP role design, they will never extract the expected value from their GRC and IAM solutions. Addressing the SAP role design will be an investment well worth it in the long run.

For more information please email us at [email protected]