Reduce the Burden Of Managing SAP With Enterprise Identity Management

Reduce the burden of
managing SAP and gain
unified business view with
enterprise Identity
Management

One Identity - Restricted - Confidential2
Introductions
Alex Binotto – Sr. Product Manager
Alex.Binotto@OneIdentity.com
Cengiz Tuztas – Sr. Solutions Architect
Cengiz.Tuztas@OneIdentity.com

Agenda
• Identity and Access Management has its own challenges. Now,
let’s add SAP, and SAP Cloud Apps into the mix
• What are the challenges of managing SAP through your IAM
processes
• How does One Identity help you solve these Challenges, and
reduce the overall burden of Managing SAP

Identity and Access Management
What does Alex have access to?
Why does he have access to
resources?
Who gave him that access?

Now, let’s add SAP
• SAP has users and groups like most
applications
• SAP also has clients, profiles, roles,
menus, and transaction codes
• Different inheritance rules for each of
these objects increases complexity
• Trying to resolve these complex
relationships down to users and groups
is close to impossible
• SAP Cloud Applications have own data
model

The challenges
• One common behavior among the organizations that we have worked with is
to divide the enterprise into “SAP” and “everything else.”
• Many IAG solutions don’t have rich support for SAP
• Administrators from the Windows and Unix universes don’t share a common
entitlement “mental map” with the SAP teams, so it’s easier to treat the
platforms separately
• A challenge for organizations to get a single view of a user
• Silo approach results in redundant platforms and processes for entitlement
requests
• Difficult to enforce controls like separation of duty rules across the various
platforms
Identity Management
System

SAP User Account Challenges
• Access business objects or
execute SAP transactions,
authorization must be assigned to
users
• Master record is required for log
on
• Master records are client specific

SAP Compliance & SoD Challenges
• SAP GRC execute rules on single
independent SAP accounts
• SAP accounts, such as a
superordinate employee identity, is
not included in GRC rule
calculations
• No cross platform support

Let’s take a look
How Identity Manager can
help

How to solve
SAP Account
Management Challenges

SAP System & Client overview

SAP Client overview

SAP Company overview

SAP User overview

SAP Profile overview

SAP Role overview

SAP Group overview

How to solve
SAP Compliance &
SoD Challenges

SAP Objects not displayed directly in the Admin
tool • Connector can synchronise many objects that are not displayed in their
own section in the Administration tool
• SAP Transactions, Authorization Objects, and elements like Activities and
Authorization Groups are rather displayed as linked to SAP Functions for
the purposes of SOD definition

SAP Function Instance and Affected Groups:
used to easily define SOD Rules
Example: FI06 Bank deletion role will match this Function

SAP Audit Rule overview

SAP Audit Rule (SoD) configuration
• Example: showing AND across the clauses and OR over a list of SAP
Functions

SAP Audit Rule
(Transaction 1)
(Transaction 2)
(Authorization object 1)
(Function element 1)
OR (1)
AND (2)
AND (3)
AND (3)

SAP Function Definition

Pre-defined Templates speeds up the
project• Simple configuration
• Extensibility to custom information (all the Z_ tables)

One-To-One relationship from the source of
truth
• SAP HCM is the leading system for Org and Employee data

View on «ALL» the relationships
• All in One
• Reflects the
Org changes as
it is
• And more …

Write back Communication Data to SAP
HCM• Write back important communication data from other systems
like Mail and Phone system

One Identity Manager & Starling Connect

Identity Manager delivers unified administration
and security for cloud and on-premises SAP
applications

SAP & Identity Manager Benefits
• Enhances SAP compliance and governance with a cross-platform
view that merges the SAP ecosystem with a comprehensive view
of non-SAP resources
• Best fit for companies requiring strong governance for SAP
• Scales to the largest and most complex SAP organizations
• Delivers fine-grained SAP object management required for
efficient, secure, and successful SAP operations
• Understands and provides IGA for the difficult-to-manage aspects of SAP
(Transaction Codes, Process Codes, support for custom SAP Z Tables, and other
attributes)
• Provides SAP-optimized SoD verification and enforcement
• Delivers SAP-specialized workflows and business logic within enterprise governance

7,000+
Customers of One Identity solutions
130+million
Identities managed through One Identity solutions
Award-winning support
94%
of One Identity customers report “overall
satisfaction with support experience”
Stability
15 years of profitability and growth
Why One Identity?
2018 Leader
Gartner has named One Identity a Leader in its
February 2018 MQ for Identity Governance and
Administration
4.2 out of 5
One Identity’s score on the Gartner Peer Insights
tool
Innovation
• Most comprehensive SAP Connector
• Market leader in AD management & security
• Pioneered AD bridge market
• Starling identity-as-a-service platform
Award-winning Partner Program
Computer Reseller News Channel Chief 2018
and 5 Star Rating

SAP Connector (additional cost)
SAP connector is certified by SAP for both SAP R/3 and S/4HANA and provides the
full user account lifecycle for SAP user accounts
Modules:
• SAP R/3 User Management Module (SAP)
• SAP R/3 Structural Profiles Add-on Module (SAP HCM)
• SAP R/3 Analysis Authorizations Add-on Module (SAP Business Intelligence)
• SAP R/3 Compliance Add-on Module (SAP Compliance)

Reduce the Burden Of Managing SAP With Enterprise Identity Management

More Related Content

What's hot

Similar to Reduce the Burden Of Managing SAP With Enterprise Identity Management

More from SBWebinars

Recently uploaded

Reduce the Burden Of Managing SAP With Enterprise Identity Management