Professional Documents
Culture Documents
1 SAP Cloud Identity Access Gov Fundamentals
1 SAP Cloud Identity Access Gov Fundamentals
1 SAP Cloud Identity Access Gov Fundamentals
Fundamentals
December 31, 2019
1
Challenges and Opportunities Driving
Transformation
2
Challenges and opportunities driving governance, risk, and compliance
(GRC) transformation
Rapid onset and diversity of risk events and Real-time processes that allow redesign of legacy
potential for catastrophic losses practices for risk and control monitoring
Stakeholder pressure for more reliable Advances in predictive and machine learning
view of risk capabilities
Global reach and complexity of regulatory Entrance into new markets and new
requirements trading partners
Relentless cyberthreats and need for protecting Collaboration within and beyond the four walls
sensitive information and infrastructure of the organization, which requires controlled
information sharing and access
3
Opportunities for managing risk and compliance
How SAP GRC solutions can help your business
4
What’s Happening in Access Management
5
Why is managing access so hard?
Fragmented approach:
- Complex and constantly changing business environments results in fragmented
approach to managing access risk
- Companies usually consider the users and authorizations they have at the single-
system level – if at all – and not at the level of user access across the enterprise.
- Leads to an incomplete or false view of risk and the controls put in place to
manage that risk.
Lack of visibility:
- Complex IT landscapes with many systems to manage
- Users have access across multiple systems
- Difficult to see whether users have too much access or access to sensitive
information across the IT landscape
6
- Should be built into the user and role management processes but often is a
separate initiative requiring additional time, money, and resources.
6
Digital identity
Definition and management
Definition
• Digital identity is the representation of an entity supported via
systems and services.
• Your digital identity is what defines your relationship with the
apps, devices, and services you need to be productive.
• Digital identity capabilities are what make the user experience
the most friction free and seamless.
• Access delivers experience and helps ensure security….. Friction for user access
has direct revenue impacts
• Asset light industries such as Uber and Air BNB, Wayz, use real time information
to deliver specific user oriented services. Content changes based on physical
situations
7
Digital identity and governance
8
A vision for cloud identity and access governance
Keeping it simple
A simple-yet-comprehensive, cloud-based identity management and access governance solution that provides
smooth integration for a superior user experience in complex environments and that is adaptive to the changing
business needs of growing organizations
IAG solutions are essentially IT systems that provide a life-cycle process for
managing user IDENTITY and governing identity and ACCESS requests. Ideally
systems should exemplify a number of best practice qualities:
9
Overview of
SAP Cloud Identity Access Governance
10
SAP Cloud Identity Access Governance (IAG)
The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Cloud Platform. It
uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you
to use the following services to create access requests, analyze risks, and design roles.
11
SAP Cloud Identity Access Governance
Simple, seamless, and adaptive
Role design
Access Optimize role definition and
Access certification* streamline governance
Review access, role, risk, and governance
mitigation control
Access request
Optimize access, workflow,
Planned 2019*
policy-based assignment, and
processes
12
SAP Cloud Identity Access Governance, access analysis service
Analyze access, refine user assignments, manage controls
Access analysis
13
Delivers insight into SoD and critical access risk
Analyze access, refine user assignments, manage controls
• Mature rule-set content delivered with solution, based on industry best practices
• Visualization-driven UI
• Integrated risk-scoring prioritization
• Integrated reporting and dashboards
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 14
14
Intelligent analytics to assess SoD and critical access risks
Key benefits
• Customizable risk scoring and trending based on potential impact and sensitivity
• Focus on issues with the greatest potential risk
• Visualization with link to user analysis and remediation dashboard
15
Optimize user assignments for security and compliance
Analyze access, refine user assignments, manage controls
16
Integrated mitigating controls management and monitoring
Analyze access, refine user assignments, manage controls
17
SAP Cloud Identity Access Governance offering
Analyze access, refine user assignments, manage controls – access analysis service
Dashboard Select users Refine user Optimize based Mitigate Audit Monitor
analytics to analyze assignments on business risks report controls
requirement
Refine
Monitor Mitigate
18
SAP Cloud Identity Access Governance, role design service
Optimize role definition and streamline governance
Role design
19
Bottoms-up role design
Optimize role definition and streamline governance
Key benefits
Role
Design
Cluster Simplify process of determining
analysis correct access assignments
20
Align business roles with organizational requirements
Optimize role definition and streamline governance
Key benefits
21
User-level reconciliation
Optimize role definition and streamline governance
Key benefits
22
SAP Cloud Identity Access Governance offering
Optimize role definition and streamline governance – role design service
This is the current state of planning and may be changed by SAP at any time.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 23
23
SAP Cloud Identity Access Governance, access request service
Optimize access, workflow, policy-based assignment, and processes
Access request
24
Self-service access-request forms
• Designed for end users to find and request the roles they need
• Fiori based UI with integrated context based role search
• Easily integrated with applications to enable users to request access
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 25
25
Auditable access-request workflow
• Audit trail built in that tracks request approval, routing, and changes
• Allows for auditors to determine how and when access was granted, changed, removed
• Provides for request status and automated actions based on service level agreements
26
Integrated provisioning for hybrid landscapes
Key benefits
SAP S/4HANA Cloud
SAP Ariba
Increased scope for provisioning
SAP SuccessFactors across hybrid landscapes
Microsoft Azure
SAP S/4HANA
On premise Cloud
SAP ECC
Simplified architecture leveraging
SAP Concur* common components
SAP Fieldglass*
SAP C/4HANA*
27
SAP Cloud Identity Access Governance offering
Optimize processes and streamline governance – access request service
Approve Provision
Analyze Simulate
Request
Remediate Adjust as Audit
risks needed workflow
28
SAP Cloud Identity Access Governance, access certification service
Review access, role, risk, and mitigation control
Access certification
29
SAP Cloud Identity Access Governance, privilege access management service
Account-based access, log consolidation, and review with automated log assessment for fraud
*Planned 2020
30
SAP Cloud Identity Access Governance offering
Feature overview
• Delivers insight into • SAP Fiori-based, • Self-service access • Automate periodic • Administration of
segregation of duties bottoms-up business request forms with access reviews privileged user
(SoD) and critical access role design and role built-in guides and • Enable reviews accounts
for on-premise and cloud refactoring data-driven filters specific to • Temporary use of
solutions
• Ability to assure • Auditable access organizational needs elevated permissions
• Provides configurable and business role request workflow • Support large-scale • Integrated session
predefined access policies compliance with • Integrated, reviews tracking
and rules organizational policies compliant user • Manage the review • Workflow-based
provisioning process process activity review
• Enables refinement of • Integrated
• Native integration • Access data-driven
assignments to optimize reconciliation process
with cloud apps views for the review
user access for security to help ensure
and compliance consistency of process
business roles
• Allows management of
controls including • Ability to smoothly link
integrated control access analysis and
monitoring and testing role design
• Enables preconfigured
audit reporting *Planned 2020
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 31
31
Why the SAP Cloud Identity Access
Governance offering
32
SAP Cloud Identity Access Governance offering
Benefits and capabilities
Benefits Capabilities
No installation requirements other than a Access governance solution based on
Web browser; complement and extension SAP Cloud Platform
of the existing SAP Access Control
application around access risk analysis Intuitive user interface design on SAP
Fiori user experience
Better user experience with personalized
information and graphical views Instant visibility into access issues
including access analysis, role design,
Improved application security and access request, access certification*,
compliance and privilege access management*
*Planned 2019
33
Bridging to the Cloud
34
Access Governance
Key trends, needs, and value proposition
Key trends in access governance and Organizational needs and the value
technology: proposed:
• Cloud computing – business applications are moving or • Automate user on-boarding processes for business
have moved to the cloud applications in the cloud and on-premise
• Complexity and speed – administration needs be faster • Implement roles and rules to automate access
and support more complex user access scenarios management
• Security – governance is what secures access to most • Help ensure security and compliance with integrated risk
applications analysis and workflow
35
SAP Access Control
Product or portfolio areas of future investment
Seamless administration and governance for cloud, on-premise, and hybrid landscapes
36
Integration: bridge concept of SAP Cloud Identity Access Governance
SAP Cloud
SAP Access
Identity Access
Control Shared Content
▪ Risk library Governance
▪ Mitigation controls
▪ Mitigation
Shared Functions
▪ Access request simulation
On-premise applications ▪ Business role simulation Cloud applications
On premise
37
Integration: cloud applications
38
Hybrid Identity and Access Governance
CLOUD
ON-PREMISE LANDSCAPE Firewall
39
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks
and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and
they should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
40