sap cloud identity access governance2020/11/18 · sap iag architecture the machinery integration...

The better the question. The better the answer.

The better the world works.

SAP Cloud Identity Access Governance

Xiting Security Wednesday

November 18, 2020

Presenting today

Heiko Gminder

Partner, Business Consulting

Phone +49 711 9881 14436

Mobile +49 160 939 14436

Email [email protected]

Patrick Fink

Senior Manager, Business Consulting

Phone +49 6196 996 20742

Mobile +49 160 93920742


Sumitesh Sharma

Senior Manager, Technology Consulting

Phone +41 58 286 82 90

Mobile +41 79 570 77 50


01

02

03

04

IAG Solution overview

IAG Architecture

IAG use case scenario’s

IAG – Things to consider

Contents

SAP IAG – Solution overviewComplex landscape, multiple applications – Integrated solution!

IAG capabilities

Privileged Access Management

Achieve super-user access, log consolidation, and review with automated log assessment

Access Certification

Review access, role, risk, and mitigation control

Access Request

Optimize access, workflow, policy –based assignment, and processes

Role Design

Optimize role definition and

streamline governance

Access Analysis

Analyse access, refine user

assignments, and manage controls

AccessGovernance

SAP Cloud Identity Access Governance (SAP IAG) is a Simplified identity and access management with cloud-based governance solution to manage both cloud & on-premise applications.

• Reduced cost of ownership with SAP IAG SaaS model

• Allows customers to choose & pay opted functionalities

• Rapid deployments

• Zero maintenance and upgrade cost

• Increased compliance with preventive risk assessment across SAP cloud & on-premise solutions

• Enables to detect cross system risks i.e. S/4 & ARIBA

• Integrations with success factors enables automated user access lifecycle management across applications (Hire to retire)

• Enable existing customers using SAP GRC to extend IAM capabilities with IAG integration to cloud applications

• Enhanced user experience with access dashboard and FIORI enabled interface with drill down capabilities

Benefits

IAG vs GRC functionality overview

PAM /EAMBusiness Role

design

Access certification

ECC/ S4

HANA

BW/BPC

Success

Factors

C4C

IBP

ARIBA

Customer SAP landscape and IAM requirements

Legend SAP GRC Supported SAP IAG supported

Access risk analysis

Access request

On

-p

rem

ise

Clo

ud

ap

plic

atio

ns

• IAG offers flexibility to connect

both on-premise & cloud

applications for end to end

identity access management

• IAG offers standard out of box

delivered workflows to meet

customer requirement

• IAG offers a integration scenario

to extend clients existing SAP

GRC system to cloud apps

SAP Identity Access Governance in Comparison with SAP GRC Native Solution

Feature SAP GRC SAP Cloud IAG

User Access Request Management

On premise

Cloud Limited to Success

Factors

Access Risk AnalysisOn premise

Cloud

Emergency Access Management

On premise *

Cloud *

Business Role Management

On premise Limited to business role

Cloud Limited to business role

User access certification

On premise

Cloud

* released BETA version in IAG 2008

SAP IAG ArchitectureThe Machinery

Integration SAP Cloud Platform

SAP IAG

Web Browser (FIORI Apps)

IAG Services 1. Access Request2. Access Risk Management3. PAM4. Business Role management5. Access certification

SAP Cloud Platform Identity Authentication Service (IAS)

SAP Cloud Platform Workflow Services

SAP Cloud Platform Business Rule management services

SAP Cloud Platform Identity Provisioning Services (IPS)

SAP S4HANA Cloud

ECCS4HANA

On-Premise ABAP

IAG use case scenario’s

New Customer’s looking to standardize User & role management

Customer’s with existing SAP GRC box and need cloud apps integration

Employee Central

SAP IAG

Other data sources

On-prem ECC/ SAP S/4 HANA

Cloud applications (SF,ARIBA,C4C etc)

HR Triggers

Employee Central

SAP GRC AC

Other data source

On-prem ECC/ SAP S/4 HANA

Cloud applications (SF,ARIBA,C4C etc)

GRC –IAG integration

User informations User informations

HR Triggers

Provisioning Provisioning

End to End Use Case 1 (w/o AC Bridge Scenario)SAP IAG as leading solution

SAP Access Control Workflow Engine

SAP IAG

On-prem SAP S/4 HANA/ERPHire to Retire

Process Initiator

Manual User Requests

(Risk Analysis)

BRM(Business Role

Management)

PAM (Privileged Access

Management)

Fixed Multi Stage Access Workflow

Provisioning

► User & Role Data synced to SAP IAG

► Risk Analysis performed in SAP IAG

► Fixed multi stage workflow in IAG

► Provisioning to Cloud Application is triggered via IAG

► Provisioning to on-prem system is triggered over SCC

Employee Central

Cloud Infrastructure

On-prem infrastructure

SCC

Provisioning


End to End Use Case 2 (w AC Bridge Scenario)SAP Access Control as leading solution

SAP Access Control

On-prem SAP S/4 HANA/ERP

SAP IAG

Hire to Retire Process Initiator

Manual User Requests

ARA

(Access Risk Analysis)

BRM(Business Role

Management)

EAM (Emergency Access

Management)

Multi Stage Access Workflow

Provisioning

Provisioning

AC

Bridge s

cenario

► User & Role Data synced to SAP Access Control over IAG

► Risk Analysis performed in SAP Access Control

► Workflow is passed to IAG using bridge scenario


Employee Central



SCC

SAP Cloud Integration


End to End Use Case 3 (w AC Bridge Scenario)Other IDM as leading solution with primary workflow and provisioning integration

SAP Access Control

On-prem SAP S/4 HANA/ERP

SAP IAG

Hire to Retire Process Initiator

ARA

(Access Risk Analysis)

BRM(Business Role

Management)

EAM (Emergency Access

Management)

Multi Stage Access Workflow

Provisioning

Provisioning

AC

Bridge s

cenario

► User & Role Data synced to SAP Access Control over IAG

► Risk Analysis performed in SAP Access Control

► Workflow is passed to IAG using bridge scenario


Employee Central



SCC

SAP IDM or other

IAM Solution

SAP IDM or other

IAM Solution

On-prem non-SAP Systems

IAG – Things to consider

► SAP IAG is not AC on the cloud, but addresses Access Governance needs in the cloud applications and also enables managing

access to on-premise systems

► Customers owning cloud applications and SAP GRC solution, can consider access control bridge solution to help in streamlining

their user access management for cloud applications. Cloud bridge can offer:

► Connectivity to cloud applications

► Cross-application access risk analysis, including cloud applications, by using SAP Cloud IAG (Access Analysis Service)

► Engage network security team while designing IAG solutioning & architecture

► Align your overall IdM strategy and risk framework for managing risks around enterprise applications

► Skilled resources to manage cloud security as there is major shift in managing user access compared to on-premise ABAP

systems

01

02 IAG workflows approvals

IAG Risk Analysis Apps

IAG – Solution demo

03

IAG access request management

IAG User and Risk level reporting Apps04

Use Case - 01Standard Apps in SAP Cloud IAG

Access Request Apps

Use Case - 02IAG workflows approvals

Approval inbox

Use Case - 03IAG Risk Analysis Apps

Access Analysis Apps

Use Case - 04IAG User and Risk level reporting Apps

► SAP Cloud IAG provides various reporting Apps available to view the Security and Risk in the systems.

► IAG standard Apps available for the Business cases are below

EY – IAG capabilities

► EY Golden Ruleset for Cloud applications with risk library covering ARIBA, C4C, SF

and other cloud applications

► The EY Way

- EY Standard Framework for technology Migration and Upgrade with ease.

- EY Agile Methodology for a streamline and robust experience.

Implementation

EY talent Pool

Risk assessment Framework and Methodology

Documentation

► IAG implementation strategy Framework in collaboration with SAP for Cloud

IAG implementation and support.

► Framework for On-Premise to Cloud Migration of business cases

► SAP Cloud IAG procedural and guide documentation with EY experience,

enhances the overall experience of Cloud IAG.

► SAP Cloud IAG resource pool, with end to end implementation experience.

► EY Technology and Advisory team’s input for business transformation.

Questions? Connect with us

Heiko Gminder

Partner, Business Consulting

Phone +49 711 9881 14436

Mobile +49 160 939 14436


Patrick Fink

Senior Manager, Business Consulting

Phone +49 711 9881 20742

Mobile +49 160 93920742


Sumitesh Sharma

Senior Manager, Technology Consulting

Phone +41 58 286 82 90

Mobile +41 79 570 77 50


Alexander Oesterle

Partner, Technology Consulting

Phone +49 621 4208 13460

Mobile +49 160 939 20742


EY | Assurance | Tax | Strategy and Transactions | Consulting

About EY

EY is a global leader in assurance, tax, transaction and advisory services. The

insights and quality services we deliver help build trust and confidence in the capital

markets and in economies the world over. We develop outstanding leaders who

team to deliver on our promises to all of our stakeholders. In so doing, we play a

critical role in building a better working world for our people, for our clients and for

our communities.

EY refers to the global organization, and may refer to one or more, of the member

firms of Ernst & Young Global Limited, each of which is a separate legal entity.

Ernst & Young Global Limited, a UK company limited by guarantee, does not

provide services to clients. Information about how EY collects and uses personal

data and a description of the rights Individuals have under data protection

legislation are available via ey.com/privacy. For more information about our

organization, please visit ey.com.

© 2020 EYGM Limited.

All Rights Reserved.

ABC JJMM-123

ED None

This material has been prepared for general informational purposes only and is not intended to be relied upon

as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com

sap cloud identity access governance2020/11/18 · sap iag architecture the machinery integration...

Documents