As a leading life sciences company with a footprint that stretches around the world, this client faced challenges with having a unified SAP environment and the ability to maintain visibility and insight into user access risk across the business. In addition, several acquisitions had been integrated into the SAP environment in recent years, with inconsistent approaches to designing and implementing user access. While global policies and procedures existed, local offices at times managed their user accounts differently.
With the implementation of SAP BusinessObjects GRC Access Control 10.0, this client saw an opportunity to enhance its compliance and risk management capabilities and enforce globalized processes, with a focus on:
Our implementation began with a series of workshops to obtain a better understanding of the client's SAP environment - for example, how it is configured, managed, and the potential business impact of changes to access management processes. Based on the information and requirements discussed, this approach creates a foundation upon which to tailor the implementation of GRC Access Control 10.0 to the client's needs.
Our approach consisted of two phases. The first phase focused on controlling segregation of duties, sensitive access and super user risk. Advantages of this two-phased approach include:
Following the successful testing and implementation of that functionality, the second phase focused on embedding management of user access risk into the processes associated with user provisioning and the maintenance of user roles. Complete end-to-end automated workflows were created to automate the SAP user administration processes (for example, creation of a new account or a request to change an existing account). We worked with our client to design workflows that would enforce organizational and audit requirements globally. The workflow includes steps that simulate changes to user access and compare the proposed access to a set of business rules that have been defined to manage segregation of duties and sensitive access.
Concurrently with the automation of user provisioning, the business role management functionality was installed, based on the organization's user role management methodology. This is designed to enforce standardization across the entire system among the IT support users who create and change user roles (for example, standing role-naming conventions and mandatory identification of role owners).
Our client has achieved the following benefits as a result of this project: