In a previous blog (see SAP struggle) we saw that SAP access control is technically and organizationally complex and often not in order. Another blog (see SAP roles 2.0) discusses the design of SAP roles to improve SAP access control. Another way to improve access control is implementation of an IAM solution for all major applications used in a company. This blog is about this alternative.
An IAM system supports the access control of connected systems. It is wise to connect initially only the most important systems in terms of access management. In addition to SAP, it can for instance be Active Directory and all applications based on it, the HR administration, the system for physical access to the building and the rooms and other business-critical applications.
The introduction of IAM is not only implementing an IAM system, but also making all related processes of the connected systems IAM ready. Often getting IAM-ready takes more time than the actual implementation of the IAM system itself. But this investment is necessary to succeed.
The IAM system is connected to the HR administration so that on boarding and off boarding changes in service, and changes of department can be processed directly. In addition, there will be a user-friendly interface so that you can request additional access in a simple way. The managers get a good overview of this access and can correct it easily. Auditors can check whether this process is being carried out correctly.
What actually happens is that access control is largely automated in a controlable way. Manual errors at the IT department are no longer possible. In the IAM system, business roles are created and assigned to users.
The IAM system only checks the top layer of the access control. This is the layer in which most mutations take place. This layer arranges for an employee to get an account in relevant systems and that this account becomes a group member within those systems.
Inaccuracies in underlying layers of the access control can not always be corrected by the IAM system. Examples of inaccuracies are: system groups in which conflicting rights are included and back doors in systems.
In SAP, the composite role is often taken as the top layer. The IAM system then ensures that the right users are linked to the right composite roles. In SAP itself, it is important that the composite roles and the underlying single roles are set up properly.
The basis must be good. If this is not the case, then the SAP roles have to be redesigned. See also the Navaio blog SAP roles 2.0.