Access and Authorization Risks
Without proper controls, accidental and intentional activities due to excessive access privileges can impact performance and reputation.
Addressing regulatory mandates with manual activities and fragmented processes increases cost and complexity.
Complexity impacts access and authorization management, making it inefficient. Consequently, risks are not identified and managed in time and no proper remediation or mitigation is possible.
With the ongoing digital transformation, many of the traditional business functions shift from on-premise to the cloud. At the end of the day, the SAP customer has to deal with access governance in these hybrid landscapes.
SAP Cloud Identity Access Governance (SAP IAG) and SAP Access Control are solutions in the area of identity and access management (IAM). IAM tools must provide automated and repeatable ways to govern the identity lifecycle from start to finish. Organizations must manage user identities and govern identity and access requests on-premise and in the cloud consistently and compliantly, including the following:
- User provisioning
- Self service
- Workflows and approval workflows
- Segregation of duties (SoD)
- Delegated administration
- Organizational management
- Role management
- Privileged user management/firefighter
- Single sign-on (SSO)
- Reporting
These capabilities and security controls are leveraged using SAP IAG that (in a best-case scenario) integrates with and covers all types of users and applications (on-premise and in the cloud) for the entire lifecycle – from hire to retire.
SAP IAG offers a similar capability to the HR Trigger in SAP Access Control that allows you to automatically create access requests based on input from HR. You can integrate the SAP Cloud Identity Access Governance solution with SAP SuccessFactors Employee Central as your HR system. This allows you to capture changes to the employment status in the HR system and to initiate access requests automatically through IAG. The access request service converts the HR triggers to change requests, which are then provisioned to target applications (cloud and on-premise) through predefined business roles.
SAP Cloud Identity Access Governance helps customers to achieve access control and governance through the following key services:
- Access Request
- The Access Request service provides customers the opportunity to utilize access request for others and self-service access request forms for user and role provisioning into the cloud applications along with the power of workflow driven access provisioning mechanisms along with any other features.
- Role Design
- Role Design allows users to design access roles with the power of Machine Learning (ML) based algorithms to optimally define and refine the required roles with a bottom up approach.
- Access Certification
- The Access Certification service in SAP Cloud Identity Access Governance provides the option to certify access spread across multiple cloud solutions by allowing reviewers to regularly audit and certify the roles assigned.
- Access Analysis
- The Access Analysis service is primarily the application meant for security administrators and compliance teams to analyze access risks across cloud applications and refine or remediate access according to the auditory requirements.
- Privileged Access Management
- Privilege Access Management (PAM) is another service that is provided in SAP Cloud Identity Access Governance to manage and monitor emergency access.
Note
Currently PAM is only supported for on-premise solutions, such as SAP S/4HANA on-premise. Cloud applications are not supported yet.
