sap cloud identity access governance2020/11/18 · sap iag architecture the machinery integration...
TRANSCRIPT
The better the question. The better the answer.
The better the world works.
SAP Cloud Identity Access Governance
Xiting Security Wednesday
November 18, 2020
Page 2
Presenting today
Heiko Gminder
Partner, Business Consulting
Phone +49 711 9881 14436
Mobile +49 160 939 14436
Email [email protected]
Patrick Fink
Senior Manager, Business Consulting
Phone +49 6196 996 20742
Mobile +49 160 93920742
Email [email protected]
Sumitesh Sharma
Senior Manager, Technology Consulting
Phone +41 58 286 82 90
Mobile +41 79 570 77 50
Email [email protected]
Page 3
01
02
03
04
IAG Solution overview
IAG Architecture
IAG use case scenario’s
IAG – Things to consider
Contents
Page 4
SAP IAG – Solution overviewComplex landscape, multiple applications – Integrated solution!
IAG capabilities
Privileged Access Management
Achieve super-user access, log consolidation, and review with automated log assessment
Access Certification
Review access, role, risk, and mitigation control
Access Request
Optimize access, workflow, policy –based assignment, and processes
Role Design
Optimize role definition and
streamline governance
Access Analysis
Analyse access, refine user
assignments, and manage controls
AccessGovernance
SAP Cloud Identity Access Governance (SAP IAG) is a Simplified identity and access management with cloud-based governance solution to manage both cloud & on-premise applications.
• Reduced cost of ownership with SAP IAG SaaS model
• Allows customers to choose & pay opted functionalities
• Rapid deployments
• Zero maintenance and upgrade cost
• Increased compliance with preventive risk assessment across SAP cloud & on-premise solutions
• Enables to detect cross system risks i.e. S/4 & ARIBA
• Integrations with success factors enables automated user access lifecycle management across applications (Hire to retire)
• Enable existing customers using SAP GRC to extend IAM capabilities with IAG integration to cloud applications
• Enhanced user experience with access dashboard and FIORI enabled interface with drill down capabilities
Benefits
Page 5
IAG vs GRC functionality overview
PAM /EAMBusiness Role
design
Access certification
ECC/ S4
HANA
BW/BPC
Success
Factors
C4C
IBP
ARIBA
Customer SAP landscape and IAM requirements
Legend SAP GRC Supported SAP IAG supported
Access risk analysis
Access request
On
-p
rem
ise
Clo
ud
ap
plic
atio
ns
• IAG offers flexibility to connect
both on-premise & cloud
applications for end to end
identity access management
• IAG offers standard out of box
delivered workflows to meet
customer requirement
• IAG offers a integration scenario
to extend clients existing SAP
GRC system to cloud apps
Page 6
SAP Identity Access Governance in Comparison with SAP GRC Native Solution
Feature SAP GRC SAP Cloud IAG
User Access Request Management
On premise
Cloud Limited to Success
Factors
Access Risk AnalysisOn premise
Cloud
Emergency Access Management
On premise *
Cloud *
Business Role Management
On premise Limited to business role
Cloud Limited to business role
User access certification
On premise
Cloud
* released BETA version in IAG 2008
Page 7
SAP IAG ArchitectureThe Machinery
Integration SAP Cloud Platform
SAP IAG
Web Browser (FIORI Apps)
IAG Services 1. Access Request2. Access Risk Management3. PAM4. Business Role management5. Access certification
SAP Cloud Platform Identity Authentication Service (IAS)
SAP Cloud Platform Workflow Services
SAP Cloud Platform Business Rule management services
SAP Cloud Platform Identity Provisioning Services (IPS)
SAP S4HANA Cloud
ECCS4HANA
On-Premise ABAP
Page 8
IAG use case scenario’s
New Customer’s looking to standardize User & role management
Customer’s with existing SAP GRC box and need cloud apps integration
Employee Central
SAP IAG
Other data sources
On-prem ECC/ SAP S/4 HANA
Cloud applications (SF,ARIBA,C4C etc)
HR Triggers
Employee Central
SAP GRC AC
Other data source
On-prem ECC/ SAP S/4 HANA
Cloud applications (SF,ARIBA,C4C etc)
GRC –IAG integration
User informations User informations
HR Triggers
Provisioning Provisioning
Page 9
End to End Use Case 1 (w/o AC Bridge Scenario)SAP IAG as leading solution
SAP Access Control Workflow Engine
SAP IAG
On-prem SAP S/4 HANA/ERPHire to Retire
Process Initiator
Manual User Requests
(Risk Analysis)
BRM(Business Role
Management)
PAM (Privileged Access
Management)
Fixed Multi Stage Access Workflow
Provisioning
► User & Role Data synced to SAP IAG
► Risk Analysis performed in SAP IAG
► Fixed multi stage workflow in IAG
► Provisioning to Cloud Application is triggered via IAG
► Provisioning to on-prem system is triggered over SCC
Employee Central
Cloud Infrastructure
On-prem infrastructure
SCC
Provisioning
Page 10
SAP Access Control Workflow Engine
End to End Use Case 2 (w AC Bridge Scenario)SAP Access Control as leading solution
SAP Access Control
On-prem SAP S/4 HANA/ERP
SAP IAG
Hire to Retire Process Initiator
Manual User Requests
ARA
(Access Risk Analysis)
BRM(Business Role
Management)
EAM (Emergency Access
Management)
Multi Stage Access Workflow
Provisioning
Provisioning
AC
Bridge s
cenario
► User & Role Data synced to SAP Access Control over IAG
► Risk Analysis performed in SAP Access Control
► Workflow is passed to IAG using bridge scenario
► Provisioning to Cloud Application is triggered via IAG
Employee Central
Cloud Infrastructure
On-prem infrastructure
SCC
SAP Cloud Integration
Page 11
SAP Access Control Workflow Engine
End to End Use Case 3 (w AC Bridge Scenario)Other IDM as leading solution with primary workflow and provisioning integration
SAP Access Control
On-prem SAP S/4 HANA/ERP
SAP IAG
Hire to Retire Process Initiator
ARA
(Access Risk Analysis)
BRM(Business Role
Management)
EAM (Emergency Access
Management)
Multi Stage Access Workflow
Provisioning
Provisioning
AC
Bridge s
cenario
► User & Role Data synced to SAP Access Control over IAG
► Risk Analysis performed in SAP Access Control
► Workflow is passed to IAG using bridge scenario
► Provisioning to Cloud Application is triggered via IAG
Employee Central
Cloud Infrastructure
On-prem infrastructure
SCC
SAP IDM or other
IAM Solution
SAP IDM or other
IAM Solution
On-prem non-SAP Systems
Page 12
IAG – Things to consider
► SAP IAG is not AC on the cloud, but addresses Access Governance needs in the cloud applications and also enables managing
access to on-premise systems
► Customers owning cloud applications and SAP GRC solution, can consider access control bridge solution to help in streamlining
their user access management for cloud applications. Cloud bridge can offer:
► Connectivity to cloud applications
► Cross-application access risk analysis, including cloud applications, by using SAP Cloud IAG (Access Analysis Service)
► Engage network security team while designing IAG solutioning & architecture
► Align your overall IdM strategy and risk framework for managing risks around enterprise applications
► Skilled resources to manage cloud security as there is major shift in managing user access compared to on-premise ABAP
systems
Page 13
01
02 IAG workflows approvals
IAG Risk Analysis Apps
IAG – Solution demo
03
IAG access request management
IAG User and Risk level reporting Apps04
Page 14
Use Case - 01Standard Apps in SAP Cloud IAG
Access Request Apps
Page 15
Use Case - 02IAG workflows approvals
Approval inbox
Page 16
Use Case - 03IAG Risk Analysis Apps
Access Analysis Apps
Page 17
Use Case - 04IAG User and Risk level reporting Apps
► SAP Cloud IAG provides various reporting Apps available to view the Security and Risk in the systems.
► IAG standard Apps available for the Business cases are below
Page 18
EY – IAG capabilities
► EY Golden Ruleset for Cloud applications with risk library covering ARIBA, C4C, SF
and other cloud applications
► The EY Way
- EY Standard Framework for technology Migration and Upgrade with ease.
- EY Agile Methodology for a streamline and robust experience.
Implementation
EY talent Pool
Risk assessment Framework and Methodology
Documentation
► IAG implementation strategy Framework in collaboration with SAP for Cloud
IAG implementation and support.
► Framework for On-Premise to Cloud Migration of business cases
► SAP Cloud IAG procedural and guide documentation with EY experience,
enhances the overall experience of Cloud IAG.
► SAP Cloud IAG resource pool, with end to end implementation experience.
► EY Technology and Advisory team’s input for business transformation.
Page 19
QA
Page 20
Questions? Connect with us
Heiko Gminder
Partner, Business Consulting
Phone +49 711 9881 14436
Mobile +49 160 939 14436
Email [email protected]
Patrick Fink
Senior Manager, Business Consulting
Phone +49 711 9881 20742
Mobile +49 160 93920742
Email [email protected]
Sumitesh Sharma
Senior Manager, Technology Consulting
Phone +41 58 286 82 90
Mobile +41 79 570 77 50
Email [email protected]
Alexander Oesterle
Partner, Technology Consulting
Phone +49 621 4208 13460
Mobile +49 160 939 20742
Email [email protected]
EY | Assurance | Tax | Strategy and Transactions | Consulting
About EY
EY is a global leader in assurance, tax, transaction and advisory services. The
insights and quality services we deliver help build trust and confidence in the capital
markets and in economies the world over. We develop outstanding leaders who
team to deliver on our promises to all of our stakeholders. In so doing, we play a
critical role in building a better working world for our people, for our clients and for
our communities.
EY refers to the global organization, and may refer to one or more, of the member
firms of Ernst & Young Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by guarantee, does not
provide services to clients. Information about how EY collects and uses personal
data and a description of the rights Individuals have under data protection
legislation are available via ey.com/privacy. For more information about our
organization, please visit ey.com.
© 2020 EYGM Limited.
All Rights Reserved.
ABC JJMM-123
ED None
This material has been prepared for general informational purposes only and is not intended to be relied upon
as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.
ey.com