Background

SAP is one of the most commonly used enterprise systems. And SailPoint is one of the most popular Identity Governance and Administration (‘IGA’) systems. Both are leaders in their respective domains and therefore, many large organizations are using both these systems.

However, onboarding SAP into SailPoint IGA solution (or for that matter any other IGA solution) has been a challenge for many organizations. Organizations often struggle to even integrate SAP with SailPoint, leaving aside making most of the integration. There are many challenges that make SAP onboarding especially challenging. 

Challenges

Some of the most common challenges are as follows:

1. SAP has a suite of very diverse products with completely different technologies – SAP S/4 HANA is an ERP solution using NetWeaver technology while SuccessFactors is a native SaaS solution. Ariba, Analytics Cloud, Concur, Business Technology Platform (BTP), Business Planning and Consolidation (BPC), Master Data Governance (MDG), etc are all very unique and different solutions with their own architecture and access management requirements. 
2. Even zeroing upon SAP ERP systems, its landscape is very complex and can be very confusing for a person who does not understand SAP.
3. SAP ERP architecture (specially the concept of System and Client) together with various versions, hosting options (SAP ECC6.0, SAP S/4 HANA – public cloud, private cloud, etc), Fiori (used/ not used/ central hub vs embedded) seems equally daunting for a non-SAP technical expert.
4. Many organizations already have some automation (tools or semi-automated scripts) to manage SAP ERP access. And these automations often tend to be complex and require careful planning to change.
5.  SAP also has its own suite of products (often with overlapping functionalities) to manage user access in SAP. This includes SAP Access Controls, SAP Cloud Identity Access Governance (IAG), SAP Identity Management (IdM), SAP Cloud Identity Services (i.e., IAS and IPS), Central User Administration (CUA), Solution Manager (SolMan), etc. While these solutions focus on managing access in SAP systems (as mentioned in #1 above), they also extend some functionalities for non-SAP systems. 
6. Integrating SAP ERP with SailPoint requires careful preparation and prerequisites, which often require SailPoint engineers to work closely with the SAP technical team. 
7. Unlike most other systems, many organizations prefer to extend the same access management controls to some of the non-production SAP ERP systems.

Apart from all these technical challenges, one of the biggest challenges is the ability of SailPoint engineers to communicate and work with the SAP technical team. Without adequate understanding of SAP systems, SailPoint engineers often get bogged down discussing the integration with SAP technical teams. The SAP team expects SailPoint engineers to understand the difference between SAP System and SAP Client, Change & Transport System (CTS), Functional Modules and Authorization Objects, which is often an alien language for SailPoint engineers. Bridging this gap to ensure smooth communication between SailPoint and SAP team is one of the biggest challenges in onboarding of SAP into SailPoint.

Segregation of Duties

Another big challenge when it comes to onboarding SAP into SailPoint is managing Segregation of Duties (‘SoD’). SoD is an important component of internal controls for any organization and needs to be managed for every IT system.  SAP ERP is often the crown jewel application for organizations using it and by its very nature, SoD is especially very important to enforce in the SAP ERP system. However, SoD management in SAP ERP is unique due to the dynamic nature of the ‘SAP roles’. Let’s understand this:

1. SoD refers to ensuring that users do not have a combination of conflicting access (for example, creating vendor and processing invoice)
2. In most systems, these will be controlled through ‘system entitlements.
3. IGA solutions like SailPoint allows organizations to define SoD policy as a combination of ‘system entitlements’. Then these can be checked during access requests (preventive controls) or reviewed/ reported (detective control).
4. IGA solutions treat ‘SAP roles’ as ‘system entitlements’ in the SAP ERP system.
5. However, ‘SAP roles’ are dynamic and insufficient to check SoD. For example, it is possible to create a SAP role called ‘Invoice Processing’ with access to create vendors.
6. In SAP, the access is managed at transaction code (tcode) and authorization (objects and field value). So, the SoD needs to be managed at tcode and authorizations rather than ‘SAP role’ level. 
7. Traditional tools such as SAP GRC Access Control had this ability, but traditional IGA solutions did not have this capability. 
8. Therefore, many organizations continue to use traditional SAP SoD tools to manage SoD and it becomes a challenge to enforce ‘preventive controls’   to check SoD during the access request process.

Note: It is possible to enforce tcode and authorization level in access request in SailPoint by integrating SAP ERP system together with SAP GRC Access Control. And SailPoint also has its own solution (Access Risk Management (‘ARM’), which is an add-on module) to provide this tcode and authorization level SoD management. 

Conclusion

In this series of blogs, Hexadius will share its learning based on its experience in onboarding various SAP systems (SAP ECC, SAP S/4 HANA, SuccessFactors, Ariba, etc) including for tcode and authorization level SoD management for SAP ERP. 

The blogs in coming weeks will cover the following:

1. Planning SAP onboarding into SailPoint
2. Things to consider for onboarding SuccessFactors as an Authoritative Source during Sailpoint deployment
3. Do’s and Don’ts of SailPoint deployment for organizations using SAP GRC Access Controls 
4. Best practices for SAP SoD management at tcode and authorization level using SailPoint
5. Clearing confusion regarding SAP IdM and SAP Cloud Identity Services (i.e., IAS and IPS) for Sailpoint deployments
6. Managing non-Production SAP systems using SailPoint

Please subscribe to receive notifications about these upcoming blogs!