GRC Update of SAPSA on Access Control / IAG topics
Transcript of GRC Update of SAPSA on Access Control / IAG topics
PUBLIC
GRC Update of SAPSA on Access Control / IAG topics
Gero Maeder, VP Development GRC
2PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.
Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service
or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related
document, or to develop or release any functionality mentioned therein.
This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and
functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this
presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided
without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP
assumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross
negligence.
All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,
and they should not be relied upon in making purchasing decisions.
Disclaimer
3PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
1. Update on Roadmap
2. Update on integration scenarios between AC12 and IAG
3. Available APIs
Agenda
Update on Roadmap
5PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Easy-to-consume Modular & scalableProcess-cognizant
Transform Your Governance, Risk and Compliance Practices
Embed GRC and security in SAP S/4HANA and Intelligent Enterprise
Across all functions
APPLICATIONS
TECHNOLOGY
BUSINESS
PROCESS
Intelligent GRC for Intelligent Enterprise
BUSINESS NETWORK
6PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP GRC solutionsProduct or portfolio areas of future investment
▪ Centralised consolidated, holistic, up
to date GRC content provides single
contextualised perspective
▪ Proactive alerting for informed
strategy setting and decision-making
▪ SAP GRC functions will be directly
embedded across the Intelligent
Enterprise
▪ Out-of-the-box connectivity with
SAP S/4HANA, SAP
SuccessFactors, SAP Ariba
▪ Future innovations delivered with a
“cloud-first” mindset
▪ Existing SAP GRC solutions (On-
Premise) benefit from future cloud
innovations via bridge scenarios
Embedded complianceBusiness processes integration
Proactive risk managementAcross all domains
Frictionless consumptionCloud or on premise
7PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Key Elements of an Intelligent GRC Solution
▪ Easy-to-deploy, configure and use
for GRC and business experts to
increase acceptance
▪ Offers content packages for existing
legal and industry requirements to
accelerate GRC projects
▪ Prioritizes end-to-end process
integration over data integration to
generate value for the organization
▪ Aware of the companies ecosystem
(suppliers, distributors, customers) to
protect the organization
▪ Re-configures existing services to
meet new requirements rather than
forcing a new implementation to
keep GRC cost in control
▪ Leverages Artificial Intelligence to
pre-process information for the GRC
expert to increase focus
Easy-to-consume Modular & scalable Process-cognizant
8PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Transform Your Governance, Risk and Compliance Practices
Embed GRC and security in SAP S/4HANA and Intelligent Enterprise
Across all functions
APPLICATIONS
TECHNOLOGY
BUSINESS
PROCESS
ENTERPRISE RISK AND COMPLIANCE
IDENTITY AND ACCESS GOVERNANCE
CYBERSECURITY, DATA PROTECTION, AND PRIVACY
INTERNATIONAL TRADE
BUSINESS NETWORK
9PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Access Control -
Enhancements for 2021 and Beyond!
Customer directed continuous improvement!!
▪ Business Role Management▪ User creation during business role provisioning
▪ Enhanced business role change history
▪ User Access Review –▪ UAR requests now have ability to remove business roles in multi-tiered landscape
▪ Export UAR assignments to Excel
▪ Emergency Access Management▪ Ticket linking from external system to firefighter log review
▪ New EAM log review with audit trail for reviews
▪ Access Request▪ Updated Fiori Apps : Multi-processing of Access Requests, Multi-user requests
▪ Access Risk Analysis▪ Risk Owner Stage improvements – limits risks to be viewed by risk owner
▪ Risk library download and transport by ruleset
Future direction -Access Control is driving digital transformation enabling seamless access
governance for public, private cloud and hybrid landscapes▪ Access Control PCE – S4 Hana Add-on and Extra Stack
▪ Integration options with SAP Cloud IAG and SAP IDM
Access Risk Overview Page
10PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
For enhancements of Access Control, always follow the Customer Connect delivery calls!
Recently delivered and new enhancements
11PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
2022 – Product direction1Recent innovations 2021 – Planned innovations1 2023 – Product vision1
1. This is the current state of planning and may be changed by SAP at any time without notice.
SAP GRC Solutions – Product Roadmap, Key InnovationsSAP Access Control
Extend Access Governance
▪ Cloud Application using SAP Cloud Identity Access Governance
Access analysis
▪ Advanced Analytics with Overview pages
Access request
▪ SAP Fiori app enhancements for employees and approvers
Role Management
▪ Centralized Business Role management harmonized Business role management with SAP IDM
Process Transparency
▪ Cross Navigation between related workflow items– Access Request & Mitigation
Assignment Workflow– Emergency Access request and Leg
review
Extend Access Governance
▪ SCIM Interface for provisioning with SAP Cloud Identity Access Governance
Access analysis
▪ Ruleset Simulator,
▪ Risk Maintenance workflow enhancements
Access request
▪ Processing Termination event from SAP Success Factors
▪ Multi user – Multi Role request process
Role Management
▪ Mass Update of Business Role assignments
User Access Review
▪ Handling de-provisioning of Indirect assignments ( via HR Org )
Emergency Access Management
▪ Enhanced change Log and log review process
Extend Access Governance using Cloud IAG
Conversational AI for employees
▪ Password reset
▪ Access Request
▪ Request status
▪ Enhance User Experience
Advanced Machine learning features for Role determination and user access review
Extend Role design using Cloud Identity Access Management (Cloud IAG)
Seamless identity lifecycle process for
managing workforce access
Governing identity and access requests
on premise and in the cloud
Continuous Improvement
▪ Customer Feedback and enhancement requirements
Enhance Segregation of duties ruleset for other applications
12PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Identity Access GovernancePlanned 2021 highlights
Access Analysis and Access Request
New integrations and interfaces
▪ New RequestAPI – enables programmatic access to initiate access requests
▪ HR Event Interface – trigger provisioning actions based on HR events
▪ Standards based support for system cross-domain identity management (SCIM) to
connect and manage 3rd party business applications
▪ Configurable workflows for SAP Cloud Identity Access Governance
▪ NEW! API Based integrations with SAP Concur and SAP Sales Cloud
Role Design, Access Certification and Privilege Access Management
Emergency Access Management – Firefighting from the Cloud!!
▪ Support ECC for emergency access management scenarios from IAG in the cloud
▪ Look for more announcements as additional systems are supported
▪ Privilege Access Management enables continuous control while granting privileged and
elevated access to the system landscape
For more information and assets on SAP Cloud Identity Access
Governance visit the SAP Jam page on the Finance & Risk hub
13PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
1. This is the current state of planning and may be changed by SAP at any time without notice.
SAP GRC Solutions SAP Cloud Identity Access Governance
SAP Cloud Identity Access
Governance
▪ Flexible and customizable workflow
– Access Request
▪ Emergency Access Management
▪ Expanded APIs – Request API
▪ Risk Review Report
▪ Successfactors Integration with more
secure OAuth support
SAP Cloud Identity Access
Governance
▪ Access Management integrations
– SAP S/4HANA for advanced financial
closing
– SAP Intelligent Asset Management
– Support universal user ID –
– SAP S4 Hana on-prem
– SAP S4 Hana Cloud
▪ API for consuming 3rd party HR events
▪ Access Analysis and Remediation
Insights into Actual Risks with Conflicts
▪ Access Certification inbox
enhancements
SAP Cloud Identity Access Governance
▪ Access Analysis integrations
– 3rd Party Application support via API
▪ Expanded PAM integrations
▪ Flexible and customizable workflow -
– Access certification
– Privileged Access Management approval
process
▪ Identity Analytics – enhancements
V2205 – Planned Q3/20221V2202– Planned Q1/20221V2108 – Recent innovations V2111 – Planned Q4/20211
SAP Cloud Identity Access
Governance
▪ Identity Lifecycle Management and
Administration API
– MDI Integration
▪ Access Management integrations
– SAP Concur
– SAP Sales Cloud
▪ Access Risk Assessment API
▪ Identity Access Reports
– Who has what where
For details see Road Map Explorer
Update on integration scenarios
15PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Hybrid Identity and Access Governance
ON-PREMISE LANDSCAPE FirewallCLOUD
Cloud IAG
Bridge*
SAP
NetWeaver... 3rd Party
Workflow
Self-Service
End User
SAP
Business Suite
SAP Access Control*
• Access Analysis
• Role Design
• Access Request
• Emergency Access
Management
SAP Identity Management
• Users/Groups
• Roles
• Connectors
SAP Jam
***
**Provisioning
***
C/4HANA***
*SAP Access Control 12 and above
**Optional
***Coming
16PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
User Access Administration
On-premise applications Cloud applications
SAP Cloud
Identity Access
Governance
SAP Access
Control
On premise
Integration: bridge concept of SAP Cloud Identity Access Governance
Shared Content
▪ Risk library
▪ Mitigation controls
▪ Mitigation
Shared Functions
▪ Access request simulation
▪ Business role simulation
17PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Integration: cloud applications
1. SAP Access Control → on-premise applications
2. SAP Cloud Identity Access Governance → cloud applications
3. Cloud SAP Cloud Identity Access Governance bridge sync (SAP Access Control → SAP Cloud
Identity Access Governance)
a) Access risk library
b) Repository data
c) Mitigation controls and mitigation (user + access risk + mitigation control + monitor)
4. SAP Access Control access request and access analysis simulation (SAP Access Control →
SAP Cloud Identity Access Governance)
a) Simulation during access request process → SAP Cloud Identity Access Governance access analysis
service
b) Mitigation in access request temporary (control look up → SAP Cloud Identity Access Governance)
c) Persistent mitigation after approval process ( SAP Access Control workflow → SAP Cloud Identity
Access Governance)
18PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Hybrid Identity and Access Governance
ON-PREMISE LANDSCAPE FirewallCLOUD
Cloud IAG
Bridge*
SAP
NetWeaver... 3rd Party
Workflow
Self-Service
SAP Cloud Identity Access
Governance
SAP Cloud Platform
Identity Provisioning
• Access Analysis
• Role Design
• Access Request
• Users/Groups
• Roles
• Connectors
End User
SAP
Business Suite
SAP Access Control*
• Access Analysis
• Role Design
• Access Request
• Emergency Access
Management
SAP Identity Management
• Users/Groups
• Roles
• Connectors
*SAP Access Control 12 and above
**Optional
***Coming
SAP Jam
***
**Provisioning
C/4HANA***
19PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP Cloud Identity Access Governance
8007928
SAP Cloud Identity Access Governance
Definition of metric: Connection is an integration of two unique end points between the
Cloud Service and a customer designated system or dedicated data source
Features
▪ Access Risk Analysis
▪ Business Role Management
▪ System Connectors
▪ User Provisioning
▪ Access Certification▪ Approval Workflow
▪ Emergency Access Management
▪ Access Risk Analysis▪ Business Role Management
▪ System Connectors (Cloud only)
▪ User Provisioning
Limited features set through automated cloud provisioning
profiles
Definition of metric: Individual Users are unique individuals being managed by
the Cloud Service or who use the reporting console of the Cloud Service
SAP Cloud Identity Access Governance,
integration edition
8008254
20PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Identity Access Deployment Models
Access Control HybridCloud IAG integration edition with
Access Control
Cloud Identity Access
Governance
Access Request
Access Request – API
based integration
Business Role Management
Role Re-engineering
Role Lifecycle Management
Privileged Access
Management
Access Risk Analysis
Control Monitoring
Access Certification
Available APIs
22PUBLIC© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
1. SCIM to provision to non-SAP systems (executed via IPS)
2. A complete package for Access Request services: SAP API Business Hub
3. Candidates for later releases: API to trigger an SOD analysis in IAG
Available APIs for external consumption in IAG
Dr. Gero Maeder
VP Development GRC
GRC User Groups Point of Contact
Thank you!
© 2021 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/trademark for additional trademark information and notices.
www.sap.com/contactsap
Follow us