Global Life Sciences Company Enhances Compliance and Risk Management Using SAP BusinessObjects GRC Access Control 10.0
Our client faced challenges with having a unified SAP environment & ability to maintain visibility insight into user access risk across the business
Our client saw an opportunity to enhance and enforce globalised processes with the implementation of SAP BusinessObjects GRC Access Control 10.0.
Our implementation began with a series of workshops to obtain a better understanding of the client's SAP environment
As a leading life sciences company with a footprint that stretches around the world, this client faced challenges with having a unified SAP environment and the ability to maintain visibility and insight into user access risk across the business. In addition, several acquisitions had been integrated into the SAP environment in recent years, with inconsistent approaches to designing and implementing user access. While global policies and procedures existed, local offices at times managed their user accounts differently.
With the implementation of SAP BusinessObjects GRC Access Control 10.0, this client saw an opportunity to enhance its compliance and risk management capabilities and enforce globalised processes, with a focus on:
- Proactively managing user and role access risks prior to provisioning
- Maintaining a central repository of mitigating controls
- Providing visibility and auditing of super user access
- Globalising user administration processes
- Globalising role management processes
- Improving audit effectiveness and efficiency
Our implementation began with a series of workshops to obtain a better understanding of the client's SAP environment - for example, how it is configured, managed, and the potential business impact of changes to access management processes. Based on the information and requirements discussed, this approach creates a foundation upon which to tailor the implementation of GRC Access Control 10.0 to the client's needs.
Our approach consisted of two phases. The first phase focused on controlling segregation of duties, sensitive access and super user risk. Advantages of this two-phased approach include:
- The ability to generate segregation of duties and sensitive access risk reports from the client's actual SAP environment in the shortest amount of time, providing early insight into user access issues that require remediation
- Roll-out of centralised emergency access - a "quick win" that can be recognised by the entire organisation
Following the successful testing and implementation of that functionality, the second phase focused on embedding management of user access risk into the processes associated with user provisioning and the maintenance of user roles. Complete end-to-end automated workflows were created to automate the SAP user administration processes (for example, creation of a new account or a request to change an existing account). We worked with our client to design workflows that would enforce organisational and audit requirements globally. The workflow includes steps that simulate changes to user access and compare the proposed access to a set of business rules that have been defined to manage segregation of duties and sensitive access.
Concurrently with the automation of user provisioning, the business role management functionality was installed, based on the organisation's user role management methodology. This is designed to enforce standardisation across the entire system among the IT support users who create and change user roles (for example, standing role-naming conventions and mandatory identification of role owners).
Our client has achieved the following benefits as a result of this project:
- Complete overview of the organisation's SAP security environment to understand where the highest levels of risk exposure exist
- Implementation of process to support monitoring and audit trails of powerful super user and emergency access
- Globalised SAP user access administration to ensure all users across the world follow a uniform process
- Globalised SAP security role management process to ensure all security administrators follow a consistent methodology
- New tools to support the redesign of SAP security roles effectively and efficiently
- Improved IT organisational performance driven by a clear definition of roles and responsibilities