SAP Cloud Identity Access Governance

Fundamentals
December 31, 2019

1
Challenges and Opportunities Driving
Transformation

2
Challenges and opportunities driving governance, risk, and compliance
(GRC) transformation

Need for managing increased Proliferation of

risk and volatility new business models and technology

Rapid onset and diversity of risk events and Real-time processes that allow redesign of legacy
potential for catastrophic losses practices for risk and control monitoring

Stakeholder pressure for more reliable Advances in predictive and machine learning
view of risk capabilities

Global reach and complexity of regulatory Entrance into new markets and new
requirements trading partners

Relentless cyberthreats and need for protecting Collaboration within and beyond the four walls
sensitive information and infrastructure of the organization, which requires controlled
information sharing and access

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 3

3
 Opportunities for managing risk and compliance
How SAP GRC solutions can help your business

Drive Adopt leading Manage impact of Confront information Embark on compliant

performance practices global change security threats digital transformation
Increase Improve your “three Grow the business Manage risk associated Embed GRC within
predictability and lines of defense” and globally while managing with cyberthreats, govern SAP S/4HANA for the
help avoid enable control the global reach and access, and protect ability to integrate risk
catastrophic losses automation across complexity of regulations information management into core
with a single view real-time processes for and changes to trade, processes
of risk detection and taxes, and business
exception monitoring models

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 4

▪ Avoiding Catastrophic Losses:

Challenge: Rapid onset and diversity of risk events and potential for catastrophic
losses
Examples: Reputational risks, Operational challenges, Compliance failures
▪ Managing Impacts of Global Change:
Challenge: Global reach and complexity of regulatory and reporting requirements
Examples: Global Changes and impacts to Trade, Taxes, Business Models
▪ Confronting Information Security Threats Relentless cyber threats and
protecting sensitive information
Challenge:
Examples: EU’s GDPR (General Data Protection Regulation), Intellectual
Property, Customer and Corporate Information
▪ Embarking on Compliant, Digital Transformation:
Challenge: Evolving business practices due to digitalization and big data
Examples: Managing big data, Information in the cloud, Detecting anomalies and
fraud
▪ Adopting Leading Practices:
Challenge: Inadequate controls across real-time processes
Examples: Antiquated GRC practices not focused on true business risk
▪ Driving Performance
Challenge: Stakeholder pressure for more reliable view of risk
Examples: Greater predictability on performance, risk-adjusted decision making

4
What’s Happening in Access Management

5
 Why is managing access so hard?

• Increasing number and complexity of enterprise

applications

• Different types of authorization models

• Key requirement for many regulations

• Fragmented approach to managing access risk

• Manual administrative processes

• Lack of visibility into user access and access risk

• Inability to prevent access risk violations

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 6

Fragmented approach:
- Complex and constantly changing business environments results in fragmented
approach to managing access risk
- Companies usually consider the users and authorizations they have at the single-
system level – if at all – and not at the level of user access across the enterprise.
- Leads to an incomplete or false view of risk and the controls put in place to
manage that risk.

Inefficient and costly processes:

- Transitioning end users to a new assignment or hiring new employees and granting
them access can take weeks away from productive work.
- This type of approach often leaves out risk analysis altogether
- Little or no automated workflow to provide a record of changes, leaving work to be
performed manually by compiling forms, e-mail messages, etc.

Lack of visibility:
- Complex IT landscapes with many systems to manage
- Users have access across multiple systems
- Difficult to see whether users have too much access or access to sensitive
information across the IT landscape

Inability to prevent access risk violations:

- Upholding internal SoD policies and managing critical access manually is typically
more of a detective process than a preventive one.

6
- Should be built into the user and role management processes but often is a
separate initiative requiring additional time, money, and resources.

6
 Digital identity
Definition and management

Definition
• Digital identity is the representation of an entity supported via
systems and services.
• Your digital identity is what defines your relationship with the
apps, devices, and services you need to be productive.
• Digital identity capabilities are what make the user experience
the most friction free and seamless.

Managing digital identities

• User experience drives success of business and applications.
• Digital businesses are increasingly interconnected – users,
devices, applications.
• Digital transformation is driving identity and access management
(IAM) technologies to deliver greater automation and ease of use.

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 7

• Access delivers experience and helps ensure security….. Friction for user access
has direct revenue impacts

• Cloud IdaaS is replacing on-premise: By 2019, 40% of IDaaS implementations

will replace on-premise IAM implementations, up from 10% today

• Asset light industries such as Uber and Air BNB, Wayz, use real time information
to deliver specific user oriented services. Content changes based on physical
situations

7
Digital identity and governance

Single sign-on Compliance

• Multifactor authentication • Access analysis
• Password management • Remediation and monitoring
• Federated authentication • Audit and reporting
• Context and risk-based
authentication Access
• Access optimization
• Role management
Device • Automated assignment
• Security profile policies • Approval processes
• Access and use policies
• Device application access
Digital Policies
• Application access policies
identity • Compliance and risk policies
Privileged access • Privileged access
• Account-based solution • Contextual authentication
• Log consolidation and review
• Automated log assessment for
Certification
fraud
• Access review
• Risk review
• Risk, mitigation control review

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 8

8
 A vision for cloud identity and access governance
Keeping it simple

A simple-yet-comprehensive, cloud-based identity management and access governance solution that provides
smooth integration for a superior user experience in complex environments and that is adaptive to the changing
business needs of growing organizations

Organizations require a lifecycle process for

managing user identities and governing identity
and access requests on premise and in the cloud:

• Secure environment for managing identities

• Comprehensive access governance capabilities
• Compliant, auditable governance
• Simple, seamless, and transparent processes
• Up-to-date, scalable, and extensible solution

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 9

9

This is why organizations need Identity Management and Access Governance

solutions, to protect the business and employees from potential risks, while ensuring
compliance with statutory regulations and stakeholder needs for a stable, growing
business.

IAG solutions are essentially IT systems that provide a life-cycle process for
managing user IDENTITY and governing identity and ACCESS requests. Ideally
systems should exemplify a number of best practice qualities:

Safe and secure environment for managing identities

Strong, comprehensive capabilities governing the provisioning of identity and access
requests
▪ Right person, right system, right time!
▪ Simplify the process of getting the right access
Transparent, auditable and compliant governance
▪ Meet regulatory needs
▪ Superior analysis of identity and access
Simple, seamless identity and access processes
▪ Ease of use for administrators – automation of processes and management of user
identity and access profiles
▪ Ease of access for users – as roles or business requirements change
▪ Ease of auditing, with comprehensive reporting and analysis and identification of
access violations
Contemporary extensible design

9
Overview of
SAP Cloud Identity Access Governance

10
SAP Cloud Identity Access Governance (IAG)

The SAP Cloud Identity Access Governance (IAG) solution is built on the SAP Cloud Platform. It
uses SAP NetWeaver APIs to fetch data from on-premise and cloud solutions, and enables you
to use the following services to create access requests, analyze risks, and design roles.

• SAP Cloud Identity Access Governance, access analysis service

• SAP Cloud Identity Access Governance, access request service

• SAP Cloud Identity Access Governance, role design service

• SAP Cloud Identity Access Governance, access certification service

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 11

11
SAP Cloud Identity Access Governance
Simple, seamless, and adaptive

Privilege access management*

Access analysis
Achieve account-based access, log
Analyze access, refine user
consolidation, and review with
assignments, manage controls
automated log assessment for fraud

Role design
Access Optimize role definition and
Access certification* streamline governance
Review access, role, risk, and governance
mitigation control

Access request
Optimize access, workflow,
Planned 2019*
policy-based assignment, and
processes

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 12

12
SAP Cloud Identity Access Governance, access analysis service
Analyze access, refine user assignments, manage controls

Access analysis

• Delivers insight into segregation of duties (SoD) and critical

access for on-premise and cloud solutions with built-in risk scoring
• Provides configurable and predefined access policies and rules
• Enables refinement of assignments to optimize user access for security
and compliance
• Allows management of controls including integrated control monitoring and
testing
• Enables preconfigured audit reporting

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 13

13
Delivers insight into SoD and critical access risk
Analyze access, refine user assignments, manage controls

Assess SoD and critical access risks

Key benefits
Rule set Reduces risks associated with
SoD conflicts and sensitive access
for on-premise and cloud solutions
Business Process Business process Business process n
Order to cash finance (unlimited number)

Optimizes time and efficiency in

Risk n
Risk A Risk B
(unlimited number)
determining correct role
assignments

Function 1 Function 2 Function 3 Function 4 Function n

Supports key audit reporting
Actions/Permissions Actions/Permissions Actions/Permissions Actions/Permissions Actions/Permissions requirements
SAP ERP SAP ERP SAP ERP Oracle PeopleSoft

• Mature rule-set content delivered with solution, based on industry best practices
• Visualization-driven UI
• Integrated risk-scoring prioritization
• Integrated reporting and dashboards
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 14

14
Intelligent analytics to assess SoD and critical access risks

Delivers built-in risk scoring and trending

Key benefits

Greater visibility into potential

issues

Streamline and prioritize

mitigation activities

More easily remediate high-

impact issues and improve
security

• Customizable risk scoring and trending based on potential impact and sensitivity
• Focus on issues with the greatest potential risk
• Visualization with link to user analysis and remediation dashboard

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 15

15
Optimize user assignments for security and compliance
Analyze access, refine user assignments, manage controls

Guided user-refinement process to update role assignments

Key benefits

Integrated audit tag to track user

assignment changes

Guided process to identify and

remove unnecessary role
assignments based on usage
and SoD risk

Built-in simulation to check

proposed new assignments

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 16

16
Integrated mitigating controls management and monitoring
Analyze access, refine user assignments, manage controls

Create, assign, and monitor mitigating controls

Key benefits

Create mitigating controls for

access risk

Assign validity periods and

owners for mitigating controls

Integrate monitoring and

reporting for mitigating controls

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 17

17
 SAP Cloud Identity Access Governance offering
Analyze access, refine user assignments, manage controls – access analysis service

Dashboard Select users Refine user Optimize based Mitigate Audit Monitor
analytics to analyze assignments on business risks report controls
requirement

Refine

Monitor Mitigate

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 18

Access Analysis Process -

• Prioritization from dashboard analytics
• Organization and user type, risk type/ level, business process
• Select user to analyze
• Analysis process – status flags
• Optimize to remove remove or reduce risk
• Mitigate SoD risk
• Automated role selection
• Export of changes to provisioning system

18
SAP Cloud Identity Access Governance, role design service
Optimize role definition and streamline governance

Role design

• SAP Fiori-based, bottoms-up business role design and

role refactoring
• Ability to assure business role compliance with
organizational policies
• Integrated reconciliation process to help ensure
consistency of business roles
• Ability to smoothly link access analysis and role design

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 19

19
 Bottoms-up role design
Optimize role definition and streamline governance

Key benefits

Reduce the complexity of role

administration

Role
Design
Cluster Simplify process of determining
analysis correct access assignments

Reduce the number of roles

necessary to manage access

• Create business roles based on existing assignments

• Add or remove roles to map functional requirements with system technical role
assignments
• Reduce the number of roles required to administer access
• Create abstraction layer, reducing the need to separately administer each user, role, and
system
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 20

20
Align business roles with organizational requirements
Optimize role definition and streamline governance

Key benefits

Create business roles based

on organizational functional
requirements

Help ensure consistency of

access assignments

Apply organizational assignment

policies

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 21

21
User-level reconciliation
Optimize role definition and streamline governance

Key benefits

User-impact analysis that

indicates the assignment
changes for users

Integrated access analysis

“What if” simulation provided

for new and changed business
roles

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 22

22
SAP Cloud Identity Access Governance offering
Optimize role definition and streamline governance – role design service

Enhanced user experience and productivity with optimized access definition

Mine Optimize Refine Analyze Provision

roles access access impact users
• Roles, • Analyze mined • Propose optimal • Adjust role content • Assign
privileges, and access information user access to remediate risks access to
authorizations users
• Discover optimal • Orchestrate • Mitigate risks as
• User access granularity of access for an applicable • Notify users
authorizations end-to-end
• Usage activity
business process

This is the current state of planning and may be changed by SAP at any time.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 23

23
SAP Cloud Identity Access Governance, access request service
Optimize access, workflow, policy-based assignment, and processes

Access request

• Self-service access-request forms with built-in guides and

data-driven filters
• Auditable access-request workflow
• Integrated, compliant user-provisioning process
• Native integration with cloud apps

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 24

24
Self-service access-request forms

Intuitive, self-service access request forms

Key benefits

Empower end users and improve

efficiencies

Intuitive, easy-to-use guided access

request process

Improve transparency and accuracy of

access assignments

• Designed for end users to find and request the roles they need
• Fiori based UI with integrated context based role search
• Easily integrated with applications to enable users to request access
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 25

25
 Auditable access-request workflow

Preconfigured but customizable workflow

Key benefits

Improved audit readiness with

comprehensive audit trail

Greater efficiency and visibility into

end-to-end user provisioning

Improved security and governance

for business applications

• Audit trail built in that tracks request approval, routing, and changes
• Allows for auditors to determine how and when access was granted, changed, removed
• Provides for request status and automated actions based on service level agreements

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 26

26
 Integrated provisioning for hybrid landscapes

Key benefits
SAP S/4HANA Cloud
SAP Ariba
Increased scope for provisioning
SAP SuccessFactors across hybrid landscapes
Microsoft Azure
SAP S/4HANA
On premise Cloud
SAP ECC
Simplified architecture leveraging
SAP Concur* common components
SAP Fieldglass*
SAP C/4HANA*

Enable and govern users for

• Seamless access governance across hybrid landscapes processes that span multiple
• Automated access request approval and provisioning based on HR events applications
• Expanded system connectors for key business applications on-premise and cloud
• S/4 HANA native integration including rule content and support for new authorization model
*Planned
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 27

27
SAP Cloud Identity Access Governance offering
Optimize processes and streamline governance – access request service

Optimize access, workflow, policy-based assignment, and processes

Approve Provision
Analyze Simulate
Request
Remediate Adjust as Audit
risks needed workflow

Select access Check Cancel or

needed for job Status Resubmit
Adjust as
needed
This is the current state of planning and may be changed by SAP at any time.
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 28

28
SAP Cloud Identity Access Governance, access certification service
Review access, role, risk, and mitigation control

Access certification

• Automate periodic access reviews

• Enable reviews specific to organizational needs
• Support large-scale reviews
• Manage the review process
• Access data-driven views for the review process

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 29

29
SAP Cloud Identity Access Governance, privilege access management service
Account-based access, log consolidation, and review with automated log assessment for fraud

Privilege access management*

• Administration of privileged user accounts

• Temporary use of elevated permissions
• Integrated session tracking
• Workflow-based activity review

*Planned 2020

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 30

30
SAP Cloud Identity Access Governance offering
Feature overview

Access Privilege access

Access analysis Role design Access request
certification management*

• Delivers insight into • SAP Fiori-based, • Self-service access • Automate periodic • Administration of
segregation of duties bottoms-up business request forms with access reviews privileged user
(SoD) and critical access role design and role built-in guides and • Enable reviews accounts
for on-premise and cloud refactoring data-driven filters specific to • Temporary use of
solutions
• Ability to assure • Auditable access organizational needs elevated permissions
• Provides configurable and business role request workflow • Support large-scale • Integrated session
predefined access policies compliance with • Integrated, reviews tracking
and rules organizational policies compliant user • Manage the review • Workflow-based
provisioning process process activity review
• Enables refinement of • Integrated
• Native integration • Access data-driven
assignments to optimize reconciliation process
with cloud apps views for the review
user access for security to help ensure
and compliance consistency of process
business roles
• Allows management of
controls including • Ability to smoothly link
integrated control access analysis and
monitoring and testing role design
• Enables preconfigured
audit reporting *Planned 2020
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 31

31
Why the SAP Cloud Identity Access
Governance offering

32
SAP Cloud Identity Access Governance offering
Benefits and capabilities

Benefits Capabilities
No installation requirements other than a Access governance solution based on
Web browser; complement and extension SAP Cloud Platform
of the existing SAP Access Control
application around access risk analysis Intuitive user interface design on SAP
Fiori user experience
Better user experience with personalized
information and graphical views Instant visibility into access issues
including access analysis, role design,
Improved application security and access request, access certification*,
compliance and privilege access management*

Central management of access risk Support for cloud applications

across hybrid landscapes

*Planned 2019

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 33

33
Bridging to the Cloud

34
Access Governance
Key trends, needs, and value proposition

Key trends in access governance and Organizational needs and the value
technology: proposed:
• Cloud computing – business applications are moving or • Automate user on-boarding processes for business
have moved to the cloud applications in the cloud and on-premise
• Complexity and speed – administration needs be faster • Implement roles and rules to automate access
and support more complex user access scenarios management
• Security – governance is what secures access to most • Help ensure security and compliance with integrated risk
applications analysis and workflow

Impacts Lower administration cost

• Cloud applications aren’t supported and require manual
provisioning
• Administration is based on synchronization
• It’s difficult to ensure that correct users are provisioned
• Users and administrators find workarounds
• Greater accuracy in user and role assignments
• Improved security with correct users assigned to correct
application roles
• Easier to meet and demonstrate compliance
requirements

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 35

35

35
SAP Access Control
Product or portfolio areas of future investment

Seamless administration and governance for cloud, on-premise, and hybrid landscapes

Areas of investment and path forward

– Deliver content for SAP on-premise business applications
– Deliver cloud integrations via SAP IAG to address hybrid landscapes
– Enable new connectors and integrations to be easily delivered
– Machine learning automation to determine correct role assignments
– AI based automated approvals for workflow processes
– Integrate Gigya Enterprise Preference Manager as a mechanism to determine authorization assignments

*first phase complete

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 36

36
 Integration: bridge concept of SAP Cloud Identity Access Governance

SAP Cloud
SAP Access
Identity Access
Control Shared Content
▪ Risk library Governance
▪ Mitigation controls
▪ Mitigation

Shared Functions
▪ Access request simulation
On-premise applications ▪ Business role simulation Cloud applications

On premise

User Access Administration

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 37

37
Integration: cloud applications

1. SAP Access Control → on-premise applications

2. SAP Cloud Identity Access Governance → cloud applications
3. Cloud SAP Cloud Identity Access Governance bridge sync (SAP Access Control → SAP Cloud Identity
Access Governance)
a) Access risk library
b) Repository data
c) Mitigation controls and mitigation (user + access risk + mitigation control + monitor)
4. SAP Access Control access request and access analysis simulation (SAP Access Control → SAP Cloud
Identity Access Governance)
a) Simulation during access request process → SAP Cloud Identity Access Governance access analysis service
b) Mitigation in access request temporary (control look up → SAP Cloud Identity Access Governance)
c) Persistent mitigation after approval process ( SAP Access Control workflow → SAP Cloud Identity Access
Governance)

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 38

38
Hybrid Identity and Access Governance
CLOUD
ON-PREMISE LANDSCAPE Firewall

SAP Access Control*

• Access Analysis ***
• Role Design
• Access Request C/4HANA***
End User
• Emergency Access ***
Management
Workflow SAP Jam
Cloud IAG
Self-Service
**Provisioning Bridge*

SAP Identity Management

• Users/Groups
• Roles
• Connectors
SAP Cloud Identity Access SAP Cloud Platform
Governance Identity Provisioning
• Access Analysis • Users/Groups
• Role Design • Roles
• Access Request • Connectors
SAP SAP
... 3rd Party
NetWeaver Business Suite
*SAP Access Control 12 and above
**Optional
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ INTERNAL 39
***Coming

39
© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its distributors contain proprietary software components
of other software vendors. National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP or its affiliated
companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP or SAP affiliate company products and services are those that are
set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release
any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future developments, products,
and/or platforms, directions, and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason without notice. The
information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-looking statements are subject to various risks
and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and
they should not be relied upon in making purchasing decisions.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company)
in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies.
See www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

40