Bridge to Cloud – How to Manage SAP Cloud Solutions

Rejhan Fazlic Partner and Technology Strategy & Transformation Leader, PwC Switzerland 09/12/21

The SAP world is experiencing one of the most significant shifts ever as it moves to cloud applications. With the launch of S/4HANA, applications are now available for customers to be used in a secure cloud computing environment enabling better accessibility and user experience.

More and more cloud applications have resulted in complex and hybrid landscapes. With this digital transformation, businesses are keen to manage access for on-premise and cloud applications centrally using SAP GRC & business roles. With finite capabilities of SAP GRC, as it can only fully manage on-premise applications, managing cloud applications remains a challenge for access management and governance teams. It is imperative to have a robust Identity and access management solution which can manage on-premise and cloud applications enabling better governance, enhanced user experience and compliance with regulations.

SAP introduced IAG to provide business with an effective access management solution. SAP Identity Access and Governance is the latest innovation in the SAP access governance space. It is a simple and adaptive access governance tool to enable seamless user experience. With SAP IAG Bridge, identity governance and SAP access control is guaranteed for both on-premise and in the cloud solutions.

What is SAP IAG?

SAP Cloud Identity and Access Governance (IAG) is a central solution for managing and governing access to cloud and on-premise target applications, or a combination of both. It is not a replacement for SAP GRC but offers similar functionalities to SAP GRC Access Control such as access analytics, role management, access requests, access reviews and privileged access management. This solution is built on the SAP cloud platform and HANA database with a compelling FIORI interface and an interactive dashboard. It can be used standalone or integrated with SAP GRC access control 12.0 via IAG bridge for user provisioning processes and risk analysis to serve SAP on-premise and cloud applications. SAP cloud applications such as SuccessFactors, Ariba, S/4HANA Cloud, S/4HANA on-premise, SAP Analytics Cloud and many more can be integrated with SAP IAG.

Strengths

Dashboard- based FIORI launchpad for better user experience
Works standalone or integrated with GRC access control
Improves application security and compliance, including SAP S/4HANA and other cloud and on-premise environments
Centralised user and authoriszation management
Access risk management for cross system landscapes
Comes with pre-configured policies and rules for access management

Challenge

Requires SAP Access Control (AC) for maintenance and customiszation of ARM workflows.

Core Functionalities of IAG

Insight into segregation of duties and critical action
Overview dashboard and various risk trends to review the risk across the landscape
Integrated audit reporting to refine access
Configurable and predefined access policies and rules

Definition and optimisation of business roles directly in IAG
Simple and intuitive business process role design
Access risk simulation ensures SOD-free business roles
Coordination process to ensure consistency in role design
Role designer dashboard provides risk metrics and usage trends within a business role

Self-service access request forms with data-driven filters
Compliant provisioning of access to cloud and on-premise applications
Includes predefined non-modifiable workflow templates for access provisioning
HR event-driven identity lifecycle management and automated provisioning

Automated review of access, role, risk and mitigation control
Reviews tailored to the needs of the organisation
Supports large-scale reviews and manages the review process

Definition and administration of privileged users and temporary elevation of access
Enables monitoring of sensitive and critical transactions
Provides workflow-based activity reviews
Enables integrated session tracking

Integration Scenarios

Customers with on-premise solution only – Organisations who only have the on-premise solution can use GRC Access Control to govern access in on-premise landscape. GRC Access Control gives flexibility to customise workflow unlike IAG at the current state of development. Customers also have the option to implement SAP IAG alone to connect to an on-premise system and manage access and risk. SAP IAG comes with non-modifiable out of the box workflows which can be utilised for access risk management.

Customers using on-premise and cloud solutions applications – In this situation the customer can choose to run entirely on the cloud IAG with limited configuration capabilities or manage access and governance in a hybrid landscape by integrating SAP IAG with GRC Access control via an IAG bridge.

SAP IAG BRIDGE

IAG Bridge Cloud provides flexibility to use IAG in combination with GRC access control 12.0.

Key features:

IAG as the central point of contact for all systems
All cloud activities carried out by IAG cloud
GRC Access Control can be used for on-premise requirements
IAG and GRC are synchronised by synchronisation jobs
Synchronise access risk and mitigation control data from GRC AC to SAP Cloud IAG
Cross-application risks between on-premise and the cloud

Customers already using GRC Access Control 12.0 can use their current application and take advantage of cloud business applications without compromising on access governance and compliance requirements.

How can we help you enhance your access management in hybrid SAP systems?

PwC is a platinum partner with SAP with more than 15,000+ connected SAP trained experts worldwide. We have supported multiple clients in the successful implementation of the SAP GRC Suite.

With PwC’s expertise and SAP’s Identity Access Governance solution we can provide you with design, development & implementation of SAP Access management framework for hybrid landscapes.