How SAP’s Digital Transformation Impacts Access Controls
Blog Security

How SAP’s Digital Transformation Impacts Access Controls

With all of the talk about SAP S/4 Hana migrations, one thing often gets lost in the conversation. What happens to access controls in this digital transformation and migration to S/4 Hana?

Unequivocally, SAP has made some big strides in digital transformation with the powerful combination of the new Hana database and its latest iteration of ERP, S/4 Hana. Leveraging big data is a major component of digital transformation, and SAP has hit the mark with faster processing and analysis due to the Hana in-memory database and S/4 digital core. However, with all of the talk about S/4 Hana migration, one thing often gets lost in the conversation. What happens to access controls and GRC in this digital transformation and migration to S/4?

Additional access control migration

For users of SAP’s Access Controls (SAP GRC) and those who continue to use it, an additional migration is required from GRC 10 to GRC 12. However, with S/4, some functionality, such as HR, supply chain, etc., that used to reside within SAP’s ECC ERP, now sits outside of the S/4 Hana digital core in the form of cloud apps, like SAP SuccessFactors, SAP Concur, SAP Ariba and SAP Fieldglass.

In order to have access controls and visibility into access risks beyond the digital core and across the cloud application ecosystem, users of GRC 12 also will have to implement SAP’s Identity Access Governance (IAG) solution, which serves as a bridge for the on-premise GRC 12 solution. This enables connection to and access analysis of the applications external to the digital core.

The way SAP explains it, users of access control on-premise (GRC 12) create access requests, and the risk analyses and mitigation control assignments are handled by the cloud access analysis service (IAG). This essentially means SAP GRC customers will need two SAP solutions to conduct enterprise-wide access controls.

What happens after GRC 12?

Will there be another version of Access Controls and additional upgrade costs, or will the IAG solution be able to conduct the access management work of GRC 12 that it can’t today? Answers vary according to sources.

SAP has said that GRC 12 was not going away. Conversely, however, another source reports that end of maintenance for GRC 12 will be as soon as December 31, 2024, meaning only a four-year gap between end of life for GRC 10 in December 2020 and end of life for GRC 12.

The uncertainty and constant upgrades aren’t ideal for SAP customers seeking more future-proofed access controls with fewer disruptions and less costs. The need for two systems to complete enterprise-wide access controls isn’t optimal either.

Access control on parallel path with digital transformation

In this age of digital transformation, access control technology should be on a parallel path of transformation to deliver some of the major benefits that digital transformation brings, such as automation, agility, speed, big data, etc. Cloud technology, especially, is central to digital transformation. In respect to future-proofing of access controls, cloud offers the greatest advantages for rapid development, deployment and scale – without interruption and generally without passing on upgrade costs to users.

To take advantage of the existing and growing number of cloud applications within SAP’s ecosystem – as well as those external to it but that connect to S/4 Hana – while also being able to have a cross-application view of access risks across all systems in the enterprise, SAP customers need to think about how to do that as simply and cost-effectively as possible.

In a perfect world, there would be a future-proofed solution that could eliminate the upgrade trap so that customers can be assured that wherever SAP takes its ERP in the future, access controls go right along with it without additional migrations and fees. The good news is that in the real world today, such solutions do exist and can be implemented quickly, even in less than 60 minutes.

It’s a common best practice that for any new system an organization installs, it should deploy a compatible security solution right alongside it to stay protected before, during and after implementation. Access controls are internal security to protect against the increase in fraud and the growing number of internal attacks. Companies considering or in the process of a move to S/4 Hana should be choosing their internal controls solution at the same time.

They need to  take into account the options: implement two additional SAP solutions to handle access risk management and also accept the ambiguity over what will change in those solutions in the years ahead or step outside of SAP and select a future-proofed cloud solution that eliminates the continuous upgrade cycle for the long haul.

ERP Maestro

About the author

Jody Paterson, ERP Maestro

Jody is a trusted advisor and cybersecurity thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), former director at KPMG, and founder of ERP Maestro.

Add Comment

Click here to post a comment

Sign up for e3zine´s biweekly newsbites

Please do not use administrative mail adresses like "noreply@..", "admin@.." or similar as these may get blocked for security reasons.

We use rapidmail for dispatching our newsletter. By signing up, you agree that the data you have entered will be transmitted to rapidmail. Please take note of their terms and conditions and privacy policy.termsandconditions.

Our Authors