SAP business objects GRC access control - Client story

Change Requested:

As a leading life sciences company with a footprint that stretches around the world, this client faced challenges with having a unified SAP environment and the ability to maintain visibility and insight into user access risk across the business. In addition, several acquisitions had been integrated into the SAP environment in recent years, with inconsistent approaches to designing and implementing user access. While global policies and procedures existed, local offices at times managed their user accounts differently.

Change Envisioned

With the implementation of SAP BusinessObjects GRC Access Control 10.0, this client saw an opportunity to enhance its compliance and risk management capabilities and enforce globalized processes, with a focus on:

• Proactively managing user and role access risks prior to provisioning
• Maintaining a central repository of mitigating controls
• Providing visibility and auditing of super user access
• Globalizing user administration processes
• Globalizing role management processes
• Improving audit effectiveness and efficiency

Change Delivered

Our implementation began with a series of workshops to obtain a better understanding of the client's SAP environment - for example, how it is configured, managed, and the potential business impact of changes to access management processes. Based on the information and requirements discussed, this approach creates a foundation upon which to tailor the implementation of GRC Access Control 10.0 to the client's needs.

Our approach consisted of two phases. The first phase focused on controlling segregation of duties, sensitive access and super user risk. Advantages of this two-phased approach include:

• The ability to generate segregation of duties and sensitive access risk reports from the client's actual SAP environment in the shortest amount of time, providing early insight into user access issues that require remediation
• Roll-out of centralized emergency access - a "quick win" that can be recognized by the entire organization

Following the successful testing and implementation of that functionality, the second phase focused on embedding management of user access risk into the processes associated with user provisioning and the maintenance of user roles. Complete end-to-end automated workflows were created to automate the SAP user administration processes (for example, creation of a new account or a request to change an existing account). We worked with our client to design workflows that would enforce organizational and audit requirements globally. The workflow includes steps that simulate changes to user access and compare the proposed access to a set of business rules that have been defined to manage segregation of duties and sensitive access.

Concurrently with the automation of user provisioning, the business role management functionality was installed, based on the organization's user role management methodology. This is designed to enforce standardization across the entire system among the IT support users who create and change user roles (for example, standing role-naming conventions and mandatory identification of role owners).

Our client has achieved the following benefits as a result of this project:

• Complete overview of the organization's SAP security environment to understand where the highest levels of risk exposure exist
• Implementation of process to support monitoring and audit trails of powerful super user and emergency access
• Globalized SAP user access administration to ensure all users across the world follow a uniform process
• Globalized SAP security role management process to ensure all security administrators follow a consistent methodology
• New tools to support the redesign of SAP security roles effectively and efficiently
• Improved IT organizational performance driven by a clear definition of roles and responsibilities