Multinational Real Estate Organization

Business Profile 

Our client is a Singaporean multinational real estate operating organization. The organization was evaluating Identity Governance & Administration (‘IGA’) solutions to support its User Access Management (‘UAM’) control activities for its users.

Objective

The organization’s immediate focus was on addressing Segregation of Duties (‘SoD’) risks in SAP system. Accordingly, we proposed a phased approach, wherein Phase 1 was focussed on the immediate need and at the same provided a platform for a wider IGA rollout in future. The organization wanted to leverage the IGA solution to extend IGA functionalities to broader enterprise systems.

The overall objectives of this IGA deployment were as follows:

  1. Manage user lifecycle more efficiently and effectively
  2. Provide enterprise-wide visibility of user access
  3. Improve overall governance process
  4. Better address audit and compliance requirements
  5. Automate provisioning activities to reduce user administration cost
  6. Automate governance activities to reduce overall governance cost.

Work Performed

Turnkey proposed an IGA solution based on SailPoint’s IdentityNow (‘IDN’) and Access Risk Management (‘ARM’) solutions. While IDN provided the IGA platform, ARM was meant to address unique challenges of managing SoD risks in SAP (which is more granular – at the transaction codes and authorizations). 

Overall, the scope of work will include the following activities:

  1. Foundation – System preparation (i.e., setting up IDN tenant) including installation, and validation of Virtual Appliance (‘VA’)
  2. Application Technical Integration
    1. Configuration and data loading for authoritative source
    2. Setup Identity Profiles 
    3. Connect the target applications (i.e., SAP S/4 HANA, Ariba and Kyriba)
    4. Aggregate and correlate the user accounts on the target applications 
    5. Aggregate entitlements on the target applications
  3. Access Certification
    1. Configuration of manager, source owner or search-based certification campaigns 
    2. Creation of campaign filters to be associated with campaigns to determine scope of access 
    3. Configuration of connected sources in scope for direct auto-revocation of access, where relevant 
    4. Certification report workshop to walk through reports 
  4. SoD Policy
    1. Setting up SoD rules
    2. Configuration of SoD reports
  5. Access Risk Management
    1. Setup of ARM system
    2. Activating ARM integration with IDN and SAP S/4 HANA
    3. Configuration of SoD risk analysis in SAP S/4 HANA using ARM
  6. Training and Knowledge Transfer
  7. UAT support
  8. Deployment support
  9. One-month post go-live warranty support.

Benefit

The successful completion of the project resulted in the following benefits for the company:

  • Strengthened the clients’ cybersecurity posture
  • Compliance with MAS standards/ requirements as well internal controls requirements
  • Automate the user lifecycle management including automated provisioning and deprovisioning for Joiner, Mover and Leaver
  • Easy and simple to use self-service access request including automated workflow for approval (and preventive SoD checks)
  • Automate periodic user access review

Enforce Segregation of Duties (‘SoD’) policies

Table of Contents