PUBLIC

Nadine Engler – SAP Customer Connection Project Manager

Swetta Singh – SAP Access Governance Product Owner

Rajesh Shastry, Noopur Agarwal – Product Development

July 10, 2019

Influencing SAP: SAP Customer Connection2nd Delivery Call for SAP Access Control 2019

2PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP.

Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or any other service

or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or any related

document, or to develop or release any functionality mentioned therein.

This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms directions and

functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this

presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality. This presentation is provided

without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a

particular purpose, or non-infringement. This presentation is for informational purposes and may not be incorporated into a contract. SAP

assumes no responsibility for errors or omissions in this presentation, except if such damages were caused by SAP’s intentional or gross

negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from

expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates,

and they should not be relied upon in making purchasing decisions.

Disclaimer

3PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Agenda

Recap of project timeline and approach

Overview of delivered improvements

Next Steps

Recap of project timeline and approach

5PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Focus Topic Timeline: SAP Access Control 2019

Collection

of improvement requests

prioritized by votes

Selection

of improvement

requests for

implementation

Development

of improvements, delivery via

Notes/Support Package

Productive use in customers‘

systems

Collect Select Develop Use

Kick-Off

April 10, 2018

Final Call

June 14, 2018

Selection Call

Sep 27, 2018

1st Delivery Call

Mar 26, 2019

open project workspaceclose project workspace

June 23, 2018

Provide feedback

on productive use

Provide feedback on

specification (optional)

Makes detailed analysis

and decision on

implementation

Develops and delivers

SAP Notes and support

packages

Improves process for

Customer ConnectionFollows, moderates, and

comments on improvement

requests submitted

Submit improvement requests

and prioritize by votesCustomer

activities

Project phases

SAP project

team activities

2nd Delivery

Call

July 10, 2019

Overview of delivered improvements

7PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Delivered Improvement Requests

Overview (1/2)

ID Title Votes Delivery Info

210691 Improve Performance of Action Usage by User, Role and Profile Report 9 SP06*

210833 Firefighter for Web Front End Applications 15 SP04

211424 Provide link between EAM request and Log review. Log review should be assigned request number. 13 SP06*

211042 Hit "ENTER" on keyboard should work rather than click on "Search" Button 12 SP04

212128 Synchronization of Business Roles assignment between GRC and Identity Management 11 SP05

211437 EAM Request 10 SP06*

211040 Please Provide Attribute : Allow Auto Provisioning in Role Mass Update - Step 2(Select Criteria) 8 SP04

(*1) only planned - no commitment concerning release dates

8PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Delivered Improvement Requests

Overview (2/2)

ID Title Votes Delivery Info

213678 Link Access Request and Mitigation Assignment Request 8 SP05

213101 Option to create one UAR request per user 7 SP04

213255

OTM & GRC - Program modification GRAC_PFCG_AUTHORIZATION_SYNC for Web services

connected system 6 SP04

(*1) only planned - no commitment concerning release dates

9PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Delivered Improvement Requests

presented in 1st Delivery Call (Mar 26, 2019)

ID Title Votes Status Delivery Info

210871 SAP FIORI / Approval Screen for roles 13 Delivered 2726079

211576 SAP FIORI /My Access Approvals - Rejection is shown as approved in GRC backend 10 Delivered 2726152

213482 Access Request in Fiori is rejected but approved by GRC 8 Delivered 2726645

213336 Compliance Approver App 6 Delivered 2726644

212413

Fiori request access - User should not always see all roles, only those roles he is

authorized 5 Delivered 2726153

211664 Notification Emails to have CC option - increased visibility for the requestors 11 Delivered 2726050

211418

Audit Log in Search Request should show the Approver ID & Full Name for the Forward

requests 10 Delivered 2738128

213679 Enable background risk analysis after approval stage 8 Delivered 2737662

(*1) only planned - no commitment concerning release dates

10PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Long-term items (Requests considered outside the scope of this project)

ID Title Votes Comment

208586 GRC Access Control 10.1 User Access Review Request Approval through FIORI App 22

For Long-term Consideration

(formerly “Under review for

Portfolio”)

213252 Ruleset Modification Simulations 7

Planned (Long-term)

(formerly “Planned for Portfolio”)

213508 Delivery of default rule sets for GDPR or DSAG Prueferleitfaden 5

Planned (Long-term)

(formerly “Planned for Portfolio”)

211092 Migrate existing users role assignments to Business roles in case of new Business role implementation 11 Planned roadmap – IAG Bridge

(*1) only planned - no commitment concerning release dates

Demo

12PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Synchronization of Business Roles assignment between GRC and Identity Management

Link Access Request and Mitigation Assignment Request

Option for one UAR request per user

Allow auto provisioning in Role Mass Update

Demo

13PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

DemoSynchronization of Business Roles assignment between GRC and Identity Management

SAP Identity Management (IDM) and SAP Access Control (AC) as an

integrated solution for identity and access governance

▪ Unified business role management

▪ SAP Access Control 12.0* and higher as the solution to model

business roles and implement access governance

SAP Access Control

SAP Identity Management

Roles

User interface

Audit

Solution:

▪ AC imports privileges of business applications from IDM

▪ Role administrator defines business roles in AC, based on the imported

privileges

▪ IDM loads business roles from GRC, making them available for

provisioning

▪ Models are continuously kept in sync

*refer to documentation for minimum SP

requirement

14PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

DemoLink Access Request and Mitigation Assignment Request

Link between the access request and mitigation assignment

request to have complete visibility into the associated

processes

Solution:

▪ Associated request numbers, when access request

triggers a mitigation assignment request.

▪ Navigate from mitigation assignment request to

access request for more contextual information

*refer to documentation for minimum SP

requirement

15PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

In user access review request , the

Manager views many users and their

corresponding assignments in a single

UAR request. A large number of users

for approval in one request is

challenging for approver.

Solution:

▪ Providing the option of one UAR

request per user for manager review

will result in improved and easier

processing for approvers.

DemoEnable One UAR request per user

16PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

In AC, role had to be downloaded to set the

provisioning values and then uploaded.

There was no possibility to set the parameter

for mass role update.

Solution:

▪ In GRC BRM Role Mass Maintenance, an

attribute allow auto provisioning has been

added.

▪ With the new enhancement users can now

update these parameter values, in front-end

Role Mass Update.

DemoAllow Auto Provisioning in Role Mass Update

17PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Improvement Project Results

Visit the SAP Improvement Finder now to find & use delivered enhancements consistently:

▪ Easy to use

▪ Search (by topic, by date) & translation functionalities included

▪ Accessible to everyone, S-user only needed for accessing SAP notes

▪ Quick results – downloadable for immediate consumption

Replaces former Excel-based solutions.

Accessible under https://sapimprovementfinder.com

Next Steps

19PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

What’s next ?

▪ Adopt the new improvements in your productive environment

▪ Respond to our survey

▪ Do you have further enhancement requests???

→ Contact your SAP User group to request a successor project

▪ Follow https://influence.sap.com/GRCAccessControl2019 to get informed

about a successor project

Questions & Answers

Questions or remarks? We are here for you.

Simply contact us via e-mail:

Nadine Engler

SAP Customer Connection Engagement OwnerT +49 6227 7-47425

E nadine.engler@sap.com

www.sap.com

Thank you.

Join us:

twitter.com/sapinfluencing

Discover Innovations:

http://www.sap.com/innovationdiscovery

Visit us:https://influence.sap.com

Appendix

23PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Delivered Improvement Requests

presented in 1st Delivery Call (Mar 26, 2019)

ID Title Votes Status Delivery Info

210871 SAP FIORI / Approval Screen for roles 13 Delivered 2726079

211576SAP FIORI /My Access Approvals - Rejection is shown as approved in GRC backend 10 Delivered 2726152

213482Access Request in Fiori is rejected but approved by GRC 8 Delivered 2726645

213336Compliance Approver App 6 Delivered 2726644

212413

Fiori request access - User should not always see all roles, only those roles he is

authorized 5 Delivered 2726153

211664Notification Emails to have CC option - increased visibility for the requestors 11 Delivered 2726050

211418

Audit Log in Search Request should show the Approver ID & Full Name for the Forward

requests 10 Delivered 2738128

213679Enable background risk analysis after approval stage 8 Delivered 2737662

(*1) only planned - no commitment concerning release dates

24PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Enhancements to Access Approver app /

Compliance Approver app

Fiori request access – Roles visibility based

on authorization..

Delivered ImprovementsUsability : Fiori Approver Apps

25PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Delivered ImprovementsNotification Emails to have CC for requestors

Notification ( CC ) to requestor

This will help requestor get visibility and

transparency on workflow approval

process.

26PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

• Provide transparency in Access

request audit log.

• Audit log in search request

enhancements for forward requests.

• Introduce Approver User Name along

with User ID.

Delivered ImprovementsAudit log

27PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Delivered ImprovementsEnable Background Analysis Simulation at Approval stage

During access request approval it is challenging

to manually perform risk analysis before

proceeding with approval.

Providing the option of background processing

for risk analysis simulation will result in

improved and easier processing for approvers.