Global Oilfield Leader Boosts Access Controls with SAP Cloud IAG

In a rapidly evolving regulatory environment, ensuring effective access governance is not only a best practice but a critical compliance requirement, especially for chief financial officers (CFOs) and controllers focused on internal controls and compliance. Our most recent SOX Compliance poll of Audit and Finance Executives found that over 50% of organizations reported increased compliance costs from the prior year. Further, only a third of organizations are maximizing the use of enabling technologies to manage those costs with survey respondents also noting the increased use of technology as a top priority.

Our client, a leading oilfield services provider, faced mounting concerns over automation and the ability to implement financial controls to manage sensitive SAP access and segregation of duties (SOD). Recognizing the urgency to strengthen its access management capabilities and prevent recurring compliance deficiencies, the company chose SAP’s Cloud Identity Access Governance (IAG) solution to modernize and automate its SAP access governance processes.

Client challenge

The client deployed SAP S/4HANA as its core ERP system (deployed in the cloud through the RISE with SAP program). The primary challenge faced after going live was a lack of centralized visibility, automation and control over SAP access risks. Critical challenges included:

• Pervasive SOD and sensitive access conflicts in SAP S/4HANA Cloud Private Edition.
• Lack of consistent process and governance of privileged and administrative access.
• Manual and error-prone procedures for access provisioning and deprovisioning.

Limited governance structure over SAP access management responsibilities, resulting in over provisioning of access and inability to effectively review access on a periodic basis.

These challenges not only jeopardized the company’s compliance posture but also created inefficiencies in access management, raising audit and security concerns.

Solution delivered

Working alongside the client, our SAP team designed governance processes and implemented SAP IAG to address these pain points. Our approach leveraged a series of design sessions to identify and document future-state processes while educating the team on the functional capabilities and obtaining feedback early and often. The client’s objectives included:

• Continuous risk insight
  Implemented access analysis functionality, providing real-time visibility into SOD and sensitive access risks across the SAP S/4HANA landscape.
• Requesting and monitoring emergency privileged access
  Enabled privileged access management functionality, allowing the team to streamline, automate, and tightly control privileged and sensitive access, ensuring emergency elevated access was not directly assigned but requested and reviewed through controlled workflows.
• Automating compliant access provisioning
  Streamlined the end-to-end access request process with approval workflows leveraging preventative SOD checks. Assigned user access more accurately with proactive risks identification and mitigation prior to access being provisioned.
• Reviewing and certifying access
  Deployed access certification functionality to support periodic user access reviews, ensuring users maintain appropriate access and that principal of least privilege (PLOP) is followed for all user’s job responsibilities.

Cloud-first architecture, standard integrations capabilities and tailored design

• Cloud integration via SAP Business Technology Platform (BTP) and secure connections to SAP systems
  Our team configured standard out-of-the-box secure connectors in SAP BTP to enable integration between IAG and the client’s SAP system. Within the S/4HANA environment, trusted connections were configured to provide seamless and secure communication back to SAP BTP.
• Integration with Microsoft Entra ID and SAP Cloud Identity Services (CIS)
  We leveraged SAP Cloud Identity Services to integrate Microsoft Entra ID (formerly Azure Active Directory) as the corporate identity provider (IdP). Source and target systems were configured, and transformation rules were applied to ensure accurate user synchronization and lifecycle management across the SAP landscape.
• Customized risk ruleset and workflow design
  Through collaborative workshops, the IAG risk ruleset was tailored to the client’s unique organizational roles and risk appetite, while approval workflows were designed to reflect compliance and operational approval hierarchies.

Governance framework and processes
Beyond technology, an important project pillar was focused on ensuring long term sustainability by establishing governance over SAP access management processes:

• Ownership
  Clear roles and responsibilities were defined for access governance, including business, IT, compliance, and audit stakeholders.
• Process
  We facilitated the definition and implementation of access governance processes to ensure alignment with SOX procedures and internal policies, drawing from our established governance frameworks.
• Long-term sustainability
  To ensure adoption and long-term success, we provided training guides and recorded training materials which can be leveraged for onboarding new owners and approvers.

Results and value delivered

As a result of the IAG implementation:

• The client gained real-time visibility into access risks, moving from no visibility to 100% of requests being analyzed for risk, enabling the company to proactively remediate SOD and sensitive access conflicts.
• The client realized a 50% reduction in the time needed to complete access reviews.
• Privileged access now follows a tightly governed process through automated request and review workflows.
• User access provisioning approval workflows were streamlined with an 80% increase in automation of access assignments and removals., reducing manual effort and error rates while creating a preventative control for complaint access provisioning.
• The organization successfully demonstrated its enhanced access governance posture to the external auditor, enabling remediation of control gaps while positioning itself for sustainable SOX compliance as a public company.

Throughout this strategic access governance engagement, the client not only strengthened its compliance capabilities but also laid the foundation for ongoing risk management and access governance maturity.

Continuing the governance journey

Building on this success and improvement in governance, the client is now exploring how to continue to strengthen access controls while also evaluating additional automations, including:

• Remediating unneeded access and documenting a mitigating control approach for acceptable risks.
• Developing a strategy and plan for a role-based access design to align access to end user positions for more efficient and streamlined user onboarding.
• Automating the process for removing access when team members leave the organization.
• Evaluating integration of SAP Ariba to further streamline and automate access provisioning.