AllH2FY20 Get IAM Right in SAP – centric organizations
H2FY20 Get IAM Right in SAP – centric organizations
The root of the problem
The challenge with IAM in an SAP-centric environment are the same as
IAM failures elsewhere, but SAP seems to make it riskier if you get it
wrong. It comes down to complexity and ownership.
The complexity is due to the fact that fundamental activities of effective
IAM must often be addressed in silos. What you have to do for this SAP
module, you have to separately do for that module, and then one more
time each for additional systems, such as Microsoft Active Directory
(AD), and every application that is connected to the enterprise.
Often the teams that know how to do something — such as managing
user accounts in various SAP modules — are different from the teams
that know why it must be done. Often this is the line-of-business team,
who will feel the pain directly if something goes wrong.
The four A’s of IAM:
Authentication – those things you do to enable the right users to
log on systems.
Challenge: This often involves usernames and passwords but could
also include various forms of multifactor authentication. Even in the
SAP world, there is often little consistency across the authentication
experience from module to module. SAP HR uses one method of
authentication, SAP BI may use another and SAP ECC still another.
The result is multiple user passwords, which can be a challenge to
remember, and lots of hoops to jump through to gain access. This is in
additional to all the non-SAP passwords users must manage.
3
Authorization – what permissions do users have?
Challenge: Again, the lack of a single source of the truth may result in a single user possessing multiple profiles
across various SAP modules and the range of non-SAP systems. This lack of consistency and its corresponding
lack of control is often the culprit for security incidents – users with more permissions than they need – and
user dissatisfaction – users finding it difficult to get to the resources they need to do their jobs.
Administration – the processes that someone has to go through to set up authentication and authorization.
Challenge: In a highly diverse environment multiple teams may be responsible for managing the lifecycle
of those accounts, such as setting up user accounts (known as provisioning) and turning off access (deprovisioning) when it is no longer needed. Often, this team is IT folks that know how to set up the accounts
etc., but are not the line-of-business owners that understand why. This business team will ultimately be
accountable if it isn’t done correctly.
With an inconsistent set of administration tools across various SAP modules, the result is often haphazard with
a high amount of guesswork (‘give Bill the same rights as Joe’) and inefficiency, (‘it’s been three weeks and
Bill still can’t get to the SAP BI tools he needs to do his job’).
4
Please complete the form to gain access to this content
