What’s SAP Access Control?
SAP Access Control (also generally referred as SAP GRC or SAP GRC Access Control) is a solution from SAP that enables organizations to control access across various SAP systems, minimizing the time and cost of compliance. It is an add-on to SAP NetWeaver platform, and works with SAP applications such as SAP ECC 6.0, and SAP S/4 HANA.
Some of the key functionalities are as follows:
| S/N | Function | Description |
| 1 | Analyze Risk | Define access risk rule set (both Segregation of Duties (‘SoD’) and Sensitive Access (‘SA’))Perform access risk analysis (real time or offline)Manage Mitigation Controls Simulate changes to identify potential access risks |
| 2 | Manage Access | Self-service access requestsWorkflow-driven approval processEmbedded access risk analysis Automated provisioning of approved access |
| 3 | Maintain Role | Define methodology for role definition and maintenanceDefine business roles |
| 4 | Certify Access | Automate periodic user access reviewCertify role content and assignment to usersAutomate review of mitigating control assignments |
| 5 | Manage Privileged Access | Manage emergency accessReview use of privileged access |
These features are primarily focussed on SAP core systems.
What’s SailPoint Identity Security Cloud (‘ISC’)
SailPoint provides comprehensive Identity, Governance and Administration (‘IGA’) functionalities across enterprise-wide IT systems including Active Directory, SAP ECC, SAP S/4 HANA, ServiceNow, Salesforce, etc.
Some of the key functionalities of its ISC platform are as follows:
| S/N | Function | Description |
| 1 | Automated Provisioning | Accelerate day 1 productivity with automated role and attribute-based accessEnsure that access is changed appropriately as an employee’s role evolvesReduce risk by automatically removing accounts and access in an appropriate manner |
| 2 | Access Requests & Approvals | Self-service access requests Workflow-driven approval processEmbedded access risk analysis Automated provisioning of approved access |
| 3 | Access Certifications | Automate periodic user-access reviewCertify role assignment to usersGain visibility into uncorrelated accountsCertify dormant user accountsCertify privileged user accounts |
| 4 | Separation of Duties (‘SoD’) | Define access risk rule setPerform access risk analysis (real time or offline)Define Mitigation Controls |
| 5 | Access Modeling | Identify user access patterns and determines potential roles, or bundles of access, that accurately align with what users actually do in an organizationSuggest changes to existing roles to make them more secureDiscover access that is common across an organization and not tied to a specific job function |
| 6 | Access Recommendations | Recommend access to users Help access approvers decide whether access requests should be approved or deniedHelp access reviewers decide whether access should be accepted or revoked |
| 7 | Access Insights | Provide historical view of access datadiscover and remediate risky access |
| 8 | Access Risk Management | Define access risk rule set (both Segregation of Duties (‘SoD’) and Sensitive Access (‘SA’)) for SAP at granular tcode and authorizations levelPerform access risk analysis (real time or offline) for SAP at granular tcode and authorizations levelManage Mitigation Controls Simulate changes to identify potential access risksAutomate periodic SAP user access reviewCertify SAP role content and assignment to usersAutomate review of Mitigating Control assignmentsManage emergency access for SAPMonitor use of privileged access |
These functionalities can support enterprise-wide IT systems including SAP applications such as SAP ECC 6.0, SAP S/4 HANA, SuccessFactors, Concur, etc.
SAP Access Control vs SailPoint
As you can see, on a high level, there are many common functionalities provided by SAP Access Control and SailPoint. The key difference being that SAP Access Control serves selected SAP systems while SailPoint can be used for enterprise-wide IT systems.
However, for organizations using SAP systems, it also presents some decision points around their identity security for their SAP systems. For example,
- If the organization already has SAP Access Control implemented, how does that align with enterprise-wide Sailpoint deployment plans?
- If the organization does not have SAP Access Control, should they implement it before or after the SailPoint deployment?
- Can they just use SailPoint without SAP Access Control?
Let’s look into these questions and understand various factors to consider.
The first thing is to understand whether SAP Access Control can address enterprise-wide IGA requirements and therefore, can be used instead of SailPoint? The answer is NO. While SAP Access Control can be extended to some non-SAP systems, it is a very limited integration, and it is both costly and complex.
Of course, one may also ask if SailPoint can address all the functionalities offered by SAP Access Control. The answer is again NO. Some of the key gaps between SAP Access Control and SailPoint are as follows:
- SAP Role Maintenance – while not very commonly used in SAP Access Control, this feature, often referred as, Business Role Management (‘BRM’) is not available in SailPoint.
- Mitigation Control (‘MC’) Maintenance – while basic functionalities to create and assign MCs for access risks are supported, SailPoint doesn’t provide workflows for managing and maintaining the MCs
- Access risks related to Fiori Apps – SailPoint can only address SAP Fiori app related access risks through OData services access and doesn’t have the ability to manage risks directly related to the Fiori Apps access.
Having mentioned these, it is also worth remembering that some of the key SAP specific functionalities provided by SAP Access Control requires SailPoint’s Access Risk Management (‘ARM’) module (and it has its separate licensing requirements).
So, if the organization doesn’t have SAP Access Control and are deploying SailPoint, they need to look at the specific use cases/ business requirements and determine, which solution is better suited. In general, it may be more straightforward to go entirely with SailPoint unless one of the above-mentioned functionalities is ‘must have’.
If the organization already has SAP Access Control, they need to decide whether to integrate it with SailPoint or replace it completely with SailPoint. Again, replacement is an option only if the above-mentioned functionalities is either used or can be turned off.
Finally, if the decision is to keep both, the integration should ensure that all the potential benefits are leveraged.
SailPoint integration with GRC
SailPoint GRC Integration is designed to leverage the SAP GRC’s ability to perform SoD checks and take remediation or mitigation decisions within the SAP GRC. It uses the SAP GRC Access Risk Analysis (ARA) and Access Request Management (ARM) web services to perform the risk evaluation process. The mitigation decisions are required to be taken in SAP GRC so that SAP GRC is aware of the Mitigation Controls, which are applied on SoD risks.
The SAP GRC connector enables checking for risk in the access request in SailPoint (if it contains an SAP access – roles or profiles) using the following method:
- Request is sent to SAP GRC for preventive access risk checks
- ARA Web Service checks for risk present in the request, if no risk is returned then Sailpoint continues provisioning the request
- If ARA Web Service returns a risk in the request, then a corresponding request is created in SAP GRC using the ARM Web Service
- SailPoint continues polling the request until a response issued by SAP GRC
- On the basis of the response returned in the previous step (approval or rejection by SAP GRC), SailPoint continues with provisioning or rejects the request.
