Solutions for SAP ERP
Problem
SAP S4/Hana and R/3 are critical platforms used extensively by organizations. It’s important to manage access in SAP to maintain security and align with compliance requirements. SAP consists of numerous modules ranging from HR to finance.
If the SAP HR module is being used, then user life cycle events need to be detected from SAP HR.
SAP has an extensive access control model which controls what users can do within each of their modules. For new hires, organizations need to provision users across the various SAP modules followed by setting the correct entitlements while ensuring that these operations abide by SoD rules. Similarly, when positions change, the access level needs to be recalculated. When users leave or they are terminated, this access must be revoked.
In addition to the joiner, mover, leaver processes, organizations also need to perform periodic access reviews. In the absence of an IAM solution, these audits are often performed using spreadsheets in a very manual and tedious process.
Solution Overview
OpenIAM’s Workforce Identity and Access Governance platform provides organization with a comprehensive solution to manage identities within SAP. The OpenIAM SAP connector utilizes BAPI to integrate with the ERP system. The connector in conjunction with the rest of OpenIAM’s capabilities provides the functionality described below.
SAP HR
The SAP connector provides integration with the SAP HR module to pick up new hires, transfers, and terminations. These events in HR will be processed in OpenIAM to automate joiner, mover, and leaver processes. The connector can also import organizational information in HR to create and maintain the org structure in downstream systems such as Active Directory.
User onboarding and offboarding
OpenIAM can manage the joiner, mover, leaver (JML) process so that accounts are created and terminated consistently in a timely manner. Onboarding and transfer processes can also leverage birthright access rules to automatically grant the correct entitlements within SAP.
Role management
Roles are the top-level access control object in SAP, and they can be imported into OpenIAM along with the users that are a member of each role. OpenIAM provides:
- A complete view of the access that each user has across the SAP platform including privileged access
- The ability to detect and remediate SoD violations
- Functionality to grant/revoke entitlements and have traceability of how access was granted
Self-service access request
Authorized users can use the service catalog, which can contain the complete set of SAP roles, to create requests for access in SAP. Approval flows can be defined either for each role or for the overall ERP platform. Once access has been approved, the connector can automatically provision access.
Orphan management
Using the orphan management feature in OpenIAM, customers can compare the accounts in SAP with those in OpenIAM. SAP accounts which do not match real users will be flagged as orphans. Orphans can then be cleaned in either OpenIAM or SAP.
Access certification
Since the connector provides the ability to actively maintain a view of the access that users have in SAP, OpenIAM is always ready to initiate an access certification campaign.
Let’s Connect
Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.
For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.