Managing this through manual processes is prone to error, due to the number of systems and the complexity of keeping track of who’s who, when they should be granted access and when this should be terminated.
This is where automated identity management tools come into the picture. Through integrated processes the joiner-mover-leaver cycle can be automated, ensuring that the right parts of the system for the role in question are accessible from day one and that this access is removed at the end of the engagement, whether that is for employees or external parties.
Managing accounts is just one piece of the puzzle; it’s even more important to manage the access rights of these accounts. Much of this can be handled through pre-approved access for certain types of users. Vendors can be automatically granted access to the Vendor Replenishment Planning portal, for example, while an employee can be given access to employee self-service functionality where they can undertake tasks such as entering timesheets or viewing payslips.
But when more than standard access is required, it is important to have processes in place to manage this. This prevents access to critical functionality being granted unwittingly, and ensures that the access is only in place for as long as it is legitimately needed; i.e. that it is temporary and removed on a timely basis.
This can be achieved through integration with systems used for requesting and approving access, segregation of duties (SoD) analysis tools to analyse the impact of the access being granted, and the identity management system to grant the access.
SAP’s Identity Management
SAP’s Identity Management SAP IdM tool is one option on the market that automates user provisioning. It offers easy integration with SAP’s Human Capital Management (HCM) and the cloud-based SuccessFactors for sourcing data for employees and other partners. This forms the start of the provisioning process. By defining the rules and access requirements based on user attributes, such as job position and work location, the base access can be automatically provisioned. This access has been defined upfront and has been pre-approved, based on the tasks to be performed for all users in similar positions.
If a user requires additional access temporarily, for example as part of year end processing, this can be requested through the IT Service Management (ITSM) system, such as Remedy or Service Now, which can be integrated with SAP IdM through its native REST interface.
Managing access risk with GRC
Once the provisioning request has been created, SAP IdM can request risk analysis through the SAP Governance, Risk and Compliance (GRC) system. This will initiate a workflow to determine whether the requested access will result in critical access or segregation of duty issues. The approver, who can be the user’s manager or a business process owner, will receive the workflow and can accept or reject the request.
If approval is given, SAP IdM will provision access to the relevant systems for that user. This provides a fast process with minimal manual intervention. At the same time, it is administered by the system, making sure that all relevant reviews are enforced, and all approvals are captured in a central location.
Business rules set access rights
When the employee moves to a different position in the organisation, IdM will receive updated information from the source system and recalculate access requirements based on the business rules and the requirements of the new role. Similarly, when the employee or business partner leaves the organisation and the HR system is updated, SAP IdM will deprovision the access and disable the accounts across all systems, without any manual intervention.
Enterprises differ on their identity management needs and it is important that the tools selected can be customised to cater for individual business requirements. SAP IdM for example can be configured to use a set time zone and language for users based on their location, or to only grant users access once certain requirements have been met, such as the successful completion of training courses for example.
Automation requires reliable data
Of course, automation of user provisioning is very difficult without proper master data such as a reliable data source or a relatively well-established access concept to determine who should have what level of access. If this is not in place, the SAP IdM system can be used as a central interface to manually administer the access across systems, but the value is less, as the processes cannot be easily automated.
Complex systems need automated access management
Identity management systems greatly reduce the manual effort involved in managing users across the constantly evolving system landscape, while ensuring that any risks related to access are minimised. Given the right access from day one, a user can be productive from the day they join, while the automated disabling of access when a person leaves the organisation means that the data and processes of the company is only available to the right people.
As organisations interact increasingly closely with partners, system access rights continue to grow more complex – and the need for automated processes to stay on top of these becomes ever more critical.
With this article, Turnkey starts a mini-series of articles that focuses on SAP Identity Management. The next article will be about threat detection.