GRC Update of SAPSA on Access Control / IAG topics

PUBLIC

GRC Update of SAPSA on Access Control / IAG topics

Gero Maeder, VP Development GRC

2PUBLIC© 2021 SAP SE or an SAP affiliate company. All rights reserved. ǀ

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.

Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service

or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related

document, or to develop or release any functionality mentioned therein.

This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and

functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this

presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided

without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP

assumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross

negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from

expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,

and they should not be relied upon in making purchasing decisions.

Disclaimer


1. Update on Roadmap

2. Update on integration scenarios between AC12 and IAG

3. Available APIs

Agenda

Update on Roadmap


Easy-to-consume Modular & scalableProcess-cognizant

Transform Your Governance, Risk and Compliance Practices

Embed GRC and security in SAP S/4HANA and Intelligent Enterprise

Across all functions

APPLICATIONS

TECHNOLOGY

BUSINESS

PROCESS

Intelligent GRC for Intelligent Enterprise

BUSINESS NETWORK


SAP GRC solutionsProduct or portfolio areas of future investment

▪ Centralised consolidated, holistic, up

to date GRC content provides single

contextualised perspective

▪ Proactive alerting for informed

strategy setting and decision-making

▪ SAP GRC functions will be directly

embedded across the Intelligent

Enterprise

▪ Out-of-the-box connectivity with

SAP S/4HANA, SAP

SuccessFactors, SAP Ariba

▪ Future innovations delivered with a

“cloud-first” mindset

▪ Existing SAP GRC solutions (On-

Premise) benefit from future cloud

innovations via bridge scenarios

Embedded complianceBusiness processes integration

Proactive risk managementAcross all domains

Frictionless consumptionCloud or on premise


Key Elements of an Intelligent GRC Solution

▪ Easy-to-deploy, configure and use

for GRC and business experts to

increase acceptance

▪ Offers content packages for existing

legal and industry requirements to

accelerate GRC projects

▪ Prioritizes end-to-end process

integration over data integration to

generate value for the organization

▪ Aware of the companies ecosystem

(suppliers, distributors, customers) to

protect the organization

▪ Re-configures existing services to

meet new requirements rather than

forcing a new implementation to

keep GRC cost in control

▪ Leverages Artificial Intelligence to

pre-process information for the GRC

expert to increase focus

Easy-to-consume Modular & scalable Process-cognizant


Transform Your Governance, Risk and Compliance Practices

Embed GRC and security in SAP S/4HANA and Intelligent Enterprise

Across all functions

APPLICATIONS

TECHNOLOGY

BUSINESS

PROCESS

ENTERPRISE RISK AND COMPLIANCE

IDENTITY AND ACCESS GOVERNANCE

CYBERSECURITY, DATA PROTECTION, AND PRIVACY

INTERNATIONAL TRADE

BUSINESS NETWORK


SAP Access Control -

Enhancements for 2021 and Beyond!

Customer directed continuous improvement!!

▪ Business Role Management▪ User creation during business role provisioning

▪ Enhanced business role change history

▪ User Access Review –▪ UAR requests now have ability to remove business roles in multi-tiered landscape

▪ Export UAR assignments to Excel

▪ Emergency Access Management▪ Ticket linking from external system to firefighter log review

▪ New EAM log review with audit trail for reviews

▪ Access Request▪ Updated Fiori Apps : Multi-processing of Access Requests, Multi-user requests

▪ Access Risk Analysis▪ Risk Owner Stage improvements – limits risks to be viewed by risk owner

▪ Risk library download and transport by ruleset

Future direction -Access Control is driving digital transformation enabling seamless access

governance for public, private cloud and hybrid landscapes▪ Access Control PCE – S4 Hana Add-on and Extra Stack

▪ Integration options with SAP Cloud IAG and SAP IDM

Access Risk Overview Page


For enhancements of Access Control, always follow the Customer Connect delivery calls!

Recently delivered and new enhancements

https://influence.sap.com/sap/ino/#/blog/2670


2022 – Product direction1Recent innovations 2021 – Planned innovations1 2023 – Product vision1

1. This is the current state of planning and may be changed by SAP at any time without notice.

SAP GRC Solutions – Product Roadmap, Key InnovationsSAP Access Control

Extend Access Governance

▪ Cloud Application using SAP Cloud Identity Access Governance

Access analysis

▪ Advanced Analytics with Overview pages

Access request

▪ SAP Fiori app enhancements for employees and approvers

Role Management

▪ Centralized Business Role management harmonized Business role management with SAP IDM

Process Transparency

▪ Cross Navigation between related workflow items– Access Request & Mitigation

Assignment Workflow– Emergency Access request and Leg

review

Extend Access Governance

▪ SCIM Interface for provisioning with SAP Cloud Identity Access Governance

Access analysis

▪ Ruleset Simulator,

▪ Risk Maintenance workflow enhancements

Access request

▪ Processing Termination event from SAP Success Factors

▪ Multi user – Multi Role request process

Role Management

▪ Mass Update of Business Role assignments

User Access Review

▪ Handling de-provisioning of Indirect assignments ( via HR Org )

Emergency Access Management

▪ Enhanced change Log and log review process

Extend Access Governance using Cloud IAG

Conversational AI for employees

▪ Password reset

▪ Access Request

▪ Request status

▪ Enhance User Experience

Advanced Machine learning features for Role determination and user access review

Extend Role design using Cloud Identity Access Management (Cloud IAG)

Seamless identity lifecycle process for

managing workforce access

Governing identity and access requests

on premise and in the cloud

Continuous Improvement

▪ Customer Feedback and enhancement requirements

Enhance Segregation of duties ruleset for other applications


SAP Cloud Identity Access GovernancePlanned 2021 highlights

Access Analysis and Access Request

New integrations and interfaces

▪ New RequestAPI – enables programmatic access to initiate access requests

▪ HR Event Interface – trigger provisioning actions based on HR events

▪ Standards based support for system cross-domain identity management (SCIM) to

connect and manage 3rd party business applications

▪ Configurable workflows for SAP Cloud Identity Access Governance

▪ NEW! API Based integrations with SAP Concur and SAP Sales Cloud

Role Design, Access Certification and Privilege Access Management

Emergency Access Management – Firefighting from the Cloud!!

▪ Support ECC for emergency access management scenarios from IAG in the cloud

▪ Look for more announcements as additional systems are supported

▪ Privilege Access Management enables continuous control while granting privileged and

elevated access to the system landscape

For more information and assets on SAP Cloud Identity Access

Governance visit the SAP Jam page on the Finance & Risk hub

https://jam4.sapjam.com/groups/35aolGSAgEzW2TfgGAa8Bj/overview_page/IvoBpYgHNlk1qfEjCdnYn0


1. This is the current state of planning and may be changed by SAP at any time without notice.

SAP GRC Solutions SAP Cloud Identity Access Governance

SAP Cloud Identity Access

Governance

▪ Flexible and customizable workflow

– Access Request

▪ Emergency Access Management

▪ Expanded APIs – Request API

▪ Risk Review Report

▪ Successfactors Integration with more

secure OAuth support


Governance

▪ Access Management integrations

– SAP S/4HANA for advanced financial

closing

– SAP Intelligent Asset Management

– Support universal user ID –

– SAP S4 Hana on-prem

– SAP S4 Hana Cloud

▪ API for consuming 3rd party HR events

▪ Access Analysis and Remediation

Insights into Actual Risks with Conflicts

▪ Access Certification inbox

enhancements

SAP Cloud Identity Access Governance

▪ Access Analysis integrations

– 3rd Party Application support via API

▪ Expanded PAM integrations

▪ Flexible and customizable workflow -

– Access certification

– Privileged Access Management approval

process

▪ Identity Analytics – enhancements

V2205 – Planned Q3/20221V2202– Planned Q1/20221V2108 – Recent innovations V2111 – Planned Q4/20211


Governance

▪ Identity Lifecycle Management and

Administration API

– MDI Integration

▪ Access Management integrations

– SAP Concur

– SAP Sales Cloud

▪ Access Risk Assessment API

▪ Identity Access Reports

– Who has what where

For details see Road Map Explorer

https://roadmaps.sap.com/board?range=CURRENT-LAST&PRODUCT=73555000100800000334#Q3%202021

Update on integration scenarios


Hybrid Identity and Access Governance

ON-PREMISE LANDSCAPE FirewallCLOUD

Cloud IAG

Bridge*

SAP

NetWeaver... 3rd Party

Workflow

Self-Service

End User

SAP

Business Suite

SAP Access Control*

• Access Analysis

• Role Design

• Access Request

• Emergency Access

Management

SAP Identity Management

• Users/Groups

• Roles

• Connectors

SAP Jam

***

**Provisioning

***

C/4HANA***

*SAP Access Control 12 and above

**Optional

***Coming


User Access Administration

On-premise applications Cloud applications

SAP Cloud

Identity Access

Governance

SAP Access

Control

On premise

Integration: bridge concept of SAP Cloud Identity Access Governance

Shared Content

▪ Risk library

▪ Mitigation controls

▪ Mitigation

Shared Functions

▪ Access request simulation

▪ Business role simulation


Integration: cloud applications

1. SAP Access Control → on-premise applications

2. SAP Cloud Identity Access Governance → cloud applications

3. Cloud SAP Cloud Identity Access Governance bridge sync (SAP Access Control → SAP Cloud

Identity Access Governance)

a) Access risk library

b) Repository data

c) Mitigation controls and mitigation (user + access risk + mitigation control + monitor)

4. SAP Access Control access request and access analysis simulation (SAP Access Control →

SAP Cloud Identity Access Governance)

a) Simulation during access request process → SAP Cloud Identity Access Governance access analysis

service

b) Mitigation in access request temporary (control look up → SAP Cloud Identity Access Governance)

c) Persistent mitigation after approval process ( SAP Access Control workflow → SAP Cloud Identity

Access Governance)


Hybrid Identity and Access Governance

ON-PREMISE LANDSCAPE FirewallCLOUD

Cloud IAG

Bridge*

SAP

NetWeaver... 3rd Party

Workflow

Self-Service


Governance

SAP Cloud Platform

Identity Provisioning

• Access Analysis

• Role Design

• Access Request

• Users/Groups

• Roles

• Connectors

End User

SAP

Business Suite

SAP Access Control*

• Access Analysis

• Role Design

• Access Request

• Emergency Access

Management

SAP Identity Management

• Users/Groups

• Roles

• Connectors

*SAP Access Control 12 and above

**Optional

***Coming

SAP Jam

***

**Provisioning

C/4HANA***



8007928


Definition of metric: Connection is an integration of two unique end points between the

Cloud Service and a customer designated system or dedicated data source

Features

▪ Access Risk Analysis

▪ Business Role Management

▪ System Connectors

▪ User Provisioning

▪ Access Certification▪ Approval Workflow

▪ Emergency Access Management

▪ Access Risk Analysis▪ Business Role Management

▪ System Connectors (Cloud only)

▪ User Provisioning

Limited features set through automated cloud provisioning

profiles

Definition of metric: Individual Users are unique individuals being managed by

the Cloud Service or who use the reporting console of the Cloud Service

SAP Cloud Identity Access Governance,

integration edition

8008254


Identity Access Deployment Models

Access Control HybridCloud IAG integration edition with

Access Control

Cloud Identity Access

Governance

Access Request

Access Request – API

based integration

Business Role Management

Role Re-engineering

Role Lifecycle Management

Privileged Access

Management

Access Risk Analysis

Control Monitoring

Access Certification

Available APIs


1. SCIM to provision to non-SAP systems (executed via IPS)

2. A complete package for Access Request services: SAP API Business Hub

3. Candidates for later releases: API to trigger an SOD analysis in IAG

Available APIs for external consumption in IAG

https://api.sap.com/package/SAPCloudIdentityAccessGovernanceAccessRequestService/rest

Dr. Gero Maeder

VP Development GRC

GRC User Groups Point of Contact

[email protected]

Thank you!

mailto:[email protected]

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of

SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its

distributors contain proprietary software components of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or

warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.

The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty

statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional

warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or

any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,

and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and

functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason

without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or

functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ

materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they

should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered

trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names

mentioned are the trademarks of their respective companies.

See www.sap.com/trademark for additional trademark information and notices.

www.sap.com/contactsap

Follow us

http://www.sap.com/trademark

https://www.sap.com/registration/contact.html

https://www.linkedin.com/company/sap

https://www.youtube.com/user/SAP

https://twitter.com/sap

https://www.facebook.com/SAP

GRC Update of SAPSA on Access Control / IAG topics

Documents

Transcript of GRC Update of SAPSA on Access Control / IAG topics