SAP User Access Management for S4HANA Private and Confidential2020

SAP User Access Management for S4HANA SAP User Access Management for S4HANA

S4HANA technology offers innovation, and businesses are increasingly adopting these. With the deadline for S4HANA adoption ending in 2025, many customers have either already moved to S4HANA or are in the process of building their roadmap.

While organisations are embarking on the journey of S4HANA-led digital transformation, one cannot ignore the impact of these trends on the business process and the underlying risk and compliance lens.

Some of the most popular trends during this digital transformation journey and their impact on risks and controls are listed below:

What is the power of S4HANA Digital code?

Building blocks for SAP user access management in S4HANA-led digital transformation:

The journey to SAP GRC 12.0 will start with a technical upgrade of the existing SAP GRC platform. It is important to take a holistic view of SAP user access management by ensuring that all impact areas are identified and designed in such a way that they complement each other and aligned to the overall access risk management strategy of the S4HANA digital platform. The following diagram depicts areas that need to be considered.

Why we need S4HANA?

New user experience - SAP Fiori enabled by HTML5

Flexible deployment options - on-cloud, on-premises, hybrid

Real-time data analytics - simplified data modelwith enhanced processingspeed, optimisedprocesses, and real-timeanalytics capabilities

Embedded solutions – S4HANA offers embedded solutions like planning, analytics, warehouse

Mobility and handheld devices – Provides access to information anytime, anywhere from any device.

New dimension technologies - SAP Leonardo provides integration of technologies (ML, AI, iRPA, etc.) opening up newer possibilities for process redesign

SAP GRC technical upgrade

Update SoD risk definitions

Optimizing Security design

in S4HANA and other

applications

SAP GRC functional upgrade

32

SAP User Access Management for S4HANA SAP User Access Management for S4HANA

How SAP GRC 12.0 can help you to gear up?

How Deloitte can help

Aligning GRC upgrade with S4HANA projects

As organisations embark on digital transformation initiatives, it is critical that they focus on access management efficiency while prioritising key areas such as security, privacy, and compliance. Upgrading or implementing SAP Access Control 12.0 presents the perfect opportunity to modernise and transform identity and access governance as it comes with many new features and functionalities. In addition, a client should also consider that by 31 December 2020 the support would be ending for SAP GRC 10.1.

While an upgrade from version 10.1 of Access Control may seem like more of a technical process, it will create opportunities to revisit current configuration, identify new functionality, and optimise SAP GRC.

Some of the key features offered by SAP GRC 12.0 are as follows:

Potential impact on Risk Control

Impact on process controls due to transformed processes, additional

features & functionalities and embedded solutions

Impact on Interfaces due to multiple ABAP and non-ABAP applications talking

to each other, possibility of interfacing IoT devices, etc.

Impact on access controls due to additional transaction codes, access to

SAP using mobility devises and Fiori, cross application SoDs, access to HANA DB

Impact on IT general controls as companies adopt flexible deployment

options, mobility solutions, etc.

SAP GRC 12 - key Improvements

Access Controls

Process Controls

Risk Management

Other Changes

• End-to-end integration with SuccessFactor

• Cloud application support via Cloud Identity Access Governance

• Risk Analysis for SAP Fiori Apps in SAP S/4 HANA on premise

• EAM for SAP HANA DB

• SAP SuccessFactor Central Payroll

• Enterprise Risk Enhancements – Operational Risk Aggregation is automated. When an underlying risk changes, the aggregated amounts change

• Workflow Enhancements – Manual KRI has a workflow now

• Probability, Impact analysis guidance added to offline forms (SP04)

• More flexible Continuous Controls Monitoring (CCM)

• CCM business rules can be run standalone- without assigning them to any business controls

• New SAP Fiori-based reports such as Monitor Issue Status and enhanced Monitor Control Status

• Performance Enhancements

• Visual harmonisation

• Synchronisation job performance has improved

• Web-based EAM for SP04

• Background Risk Analysis after approval stages in Access Control

Perform diagnostic study of current SAP GRC 10.x  and identify optimization opportunities (2-3 weeks)

Assist in SAP GRC 12.0 technical upgrade (6-10 weeks) or re-implementation (all GRC service packs can’t be upgraded)

Implement recommendation – SAP GRC optimization

Clients migrating to S4HANA during year 2020

• SAP GRC Technical Upgrade and Optimisation Study can be completed on Priority – estimated duration 6-10 weeks.

• SAP GRC go-live along with SAP Security re-design to go-live along with S4HANA go-live

S4HANA GO-LIVE DURING YEAR 2020

DEC 2020 S4HANA GO-LIVE POST 2020

Clients migrating to S4HANA after year 2020

GRC 12.0 Technical upgrade has to be completed before Dec 2020 along with SAP GRC Functional upgrade.

Clients migrating to S4HANA after year 2020

SAP Security Redesign and alignment of SAP GRC with S4HANA shall be completed along with S4HANA go-live

54

SAP User Access Management for S4HANA

6

Contact usRohit Mahajan President – Risk Advisory rmahajan@deloitte.com

Gaurav Shukla Partner, Risk Advisory shuklagaurav@deloitte.co

Manas Ketkar Director maketkar@deloitte.com

Abhijit KatkarPartnerakatkar@deloitte.com

Nitin Jagtap Directornjagtap@deloitte.com

Muthukumar KaruppiahPartner mkaruppiah@deloitte.com

Sachin Arora Director sacharora@deloitte.com

7

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material has been prepared by Deloitte Touche Tohmatsu India LLP (“DTTILLP”), a member of Deloitte Touche Tohmatsu Limited, on a specific request from you and contains proprietary and confidential information. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. The information contained in this material is intended solely for you. Any disclosure, copying or further distribution of this material or its contents is strictly prohibited.

Nothing in this material creates any contractual relationship between DTTILLP and you. Any mutually binding legal obligations or rights may only be created between you and DTTILLP upon execution of a legally binding contract. By using this material and any information contained in it, the user accepts this entire notice and terms of use.

©2020 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited