Business Profile
Our client is a statutory board in Singapore. The client used SAP ECC 6.0 ERP system along with SAP Enterprise Portal, BW and Fiori systems. It used a custom developed tool for user access provisioning in SAP ERP and Portal systems. The tool also supported basic Segregation of Duties (‘SoD’) analysis. However, the solution was not sufficient to support the increasingly complex SAP landscape. Also, the SoD analysis was not accurate due to system limitations.
Objective
The client evaluated multiple solutions and decided to implement SAP GRC Access Control for access provisioning as well as managing SoD risks in SAP systems. The primary objectives of the implementation were as follows:
- Manage SAP access and ‘SoD’ risks to enhance internal controls.
- Automate user administration functions (such as user access request, user access approval, SoD risk analysis, user creation, user deactivation, etc) to increase SAP team productivity.
- Control elevated access privileges granted to SAP team for system support and troubleshooting to prevent misuse of such access.
Work Performed
The client engaged Hexadius Consulting to implement SAP GRC Access Control (‘AC’) 10.1 to meet its objectives. It was decided that the following 3 modules in SAP GRC AC will be configured: Access Risk Analysis (‘ARA’), Access Request Management (‘ARM’), and Emergency Access Management (‘EAM’).
Further, it was decided that SAP GRC AC will be used to manage the entire SAP landscape.
Hexadius performed the technical installation of the SAP GRC AC system and configured the 3 modules to address our client’s requirements.
- ARA module – SoD ruleset is the heart of SAP GRC AC ARA functionality. Our client had a formally documented and approved SoD ruleset, which was recently reviewed in preparation for the SAP GRC AC implementation. Hexadius worked with its project personnel to convert the SoD ruleset to make it compliant with SAP GRC AC ARA module. The enhanced SoD ruleset was tested and uploaded into ARA module and was configured as the default SoD ruleset. SAP GRC ARA standard functionalities were leveraged to provide accurate SoD risk analysis to its business users.
- Hexadius worked with its key users to establish governance processes around maintenance of SoD ruleset (such as ownership, approval of changes, etc). ARM module – ARM module provides forms and workflows for user access provisioning in SAP. Our client identified a multi-level approval process with automated SoD risk analysis for user access requests. SAP GRC AC HR Trigger functionality was used to automate the user creation and deactivation based on the HR employee master creation/ delimiting. Hexadius also performed enhancements to the standard SAP GRC AC ARM module to provide the following functionalities:
- SAP license type allocation (based on the roles assigned to users)
- SAP license type report
- Review and deactivation of existing roles in case of employee transfer within the client’s businesses.
Different approval strategies were defined for Development (‘DEV’), Quality Assurance (‘QA’) and Production (‘PRD’) systems as well as different SAP systems.
- EAM module – Hexadius discussed and identified ID based – Centralized Firefighting as the best firefighting scenario for the client’s requirements. Hexadius worked with its SAP team to identify and define the Fire Fighter IDs (‘FFID’) and related responsibilities. Hexadius also set up the workflows for requesting, approving and reviewing the FFID sessions by the SAP team members.
Hexadius also conducted multiple requirements gathering, proto-typing as well as knowledge-sharing sessions with key business and SAP users. Multiple classroom training was conducted to ensure that various SAP GRC AC users (such as access requesters, access approvers, firefighters, internal auditors, etc) were empowered to use the system effectively. Various relevant Standard Operating Procedures (‘SOP’) were also developed to ensure that the SAP GRC AC system can be managed on an ongoing basis.
The client successfully migrated from the custom-built tool to SAP GRC AC and Hexadius supported it to ensure smooth transition to the new system.
Benefit
The successful implementation of the SAP GRC AC resulted in the following benefits for our client:
- Single tool to seamlessly manage all SAP systems in their landscape
- Comprehensive and accurate access and SoD risk analysis
- Tighter control around user access provisioning with greater control exercised by business users over the access rights granted to users in SAP system
- Freeing up SAP team’s time from routine user access provisioning activities to more value-adding activities to support key business operations and challenges
- Increased efficiency, traceability and manageability through workflows
- Greater control over use of privileged/ emergency/ super users
- Greater transparency to business users through multi-dimensional and multi-functional reports
- Efficient and effective governance and internal controls over user access provisioning and SoD risks in SAP systems.