Expand +



Make Compliance a Seamless Part of Your Security Workflow: How GRC and Identity Management Solutions Can Work Together to Mitigate Segregation of Duties Risks

by Regine Schimmer and Jens Koster | SAPinsider

April 1, 2010

Many companies are realizing that they must weave governance, risk, and compliance (GRC) principles into their security processes. By complementing their existing identity management functionality with a GRC solution that manages access control, companies can enable compliant identity management, ensuring that roles and authorizations assigned to a user do not contain conflicting rights. This secures the identity management process, while making it completely compliant.

The need for governance, risk, and compliance (GRC) solutions is undeniable — without them, a company could leave itself exposed to legislative fines, reporting inaccuracies, or auditing nightmares. But for many companies, governance, risk, and compliance have become mere buzzwords. GRC is seen as a requirement rather than an opportunity, and too many companies take a very narrow approach to the subject, thinking of it only in terms of complying with financial regulations.

While compliance legislation does primarily target a company’s financial division, its impact is just as great in the IT department. After all, financial processes can only be compliant if they are based on compliant IT processes. In addition, using GRC solutions in conjunction with existing security solutions enables companies to secure end-to-end business processes, embedding compliance measures from start to finish. When done right, compliance becomes a valuable and useful part of the workflow, rather than a hindrance to it.

Compliance is especially important when it comes to a company’s ERP solutions, which contain critical processes that need to be protected by appropriate authentication and authorization procedures to ensure data privacy and enable efficient auditing. Companies likely already have processes in place to manage user access and authorizations, but what they really need is a centralized identity management solution complemented by a GRC solution.

By complementing their identity management functionality with a GRC solution that manages access control, companies can enable compliant identity management. In other words, they can ensure that roles and authorizations assigned to a user do not contain conflicting rights — so they’re not only securing the identity management process, but also making it completely compliant and auditable (see Key Term box).

Linking GRC to Identity Management: SAP BusinessObjects Access Control and SAP NetWeaver ID Management

The most efficient way to ensure compliance while simultaneously creating a streamlined, secure identity management process flow is to combine:

  • An identity management solution to provide centralized identity and permission administration processes in heterogeneous environments. Such a solution should enable identity federation, business role functionality, central password management, tight integration with business applications, and a standards-based, interoperable single sign-on.
  • A GRC access control solution to help define, analyze, and mitigate access risk. Such a solution should perform compliance checks on role assignments to ensure that they adhere to segregation of duties (SoD) principles — required by the Sarbanes-Oxley Act, for example. It should also provide ongoing access monitoring capabilities.

To fulfill these requirements, SAP offers SAP NetWeaver Identity Management (SAP NetWeaver ID Management) and SAP BusinessObjects Access Control.1 Using these solutions separately, companies can take advantage of the rich functionality of each (see Figure 1). But by using the two solutions together, companies can enable compliant identity management. As of SAP BusinessObjects Access Control 5.3 and SAP NetWeaver ID Management 7.1, the two solutions now connect and interact to identify and combat any SoD violations.

Figure 1 The rich functional strengths of SAP BusinessObjects Access Control and SAP NetWeaver ID Management

Let’s consider an example of how SAP NetWeaver ID Management and SAP BusinessObjects Access Control can be combined to contribute to an efficient, compliant identity management process.

Ensuring Segregation of Duties: Compliant Identity Management in Action

In a previous Security Strategies column about SAP NetWeaver ID Management,2 we introduced Anna Smith, a new employee whose role was defined and approved through SAP NetWeaver ID Management. We’ll now extend this example to see how SAP NetWeaver ID Management and SAP BusinessObjects Access Control work together to ensure that the roles assigned to Anna do not combine to constitute a risk for the company.

When Anna was hired, a human resources employee initiated her onboarding process by entering Anna’s data into SAP ERP Human Capital Management (SAP ERP HCM). From there, the data was passed on to SAP NetWeaver ID Management, which created an identity entry for Anna and automatically assigned her a business role.

By connecting SAP NetWeaver ID Management to SAP BusinessObjects Access Control, a compliance component is added to this process.3 SAP NetWeaver ID Management automatically checks whether any of the privileges contained in the roles assigned to Anna are relevant for a risk analysis based on the role information. SAP BusinessObjects Access Control then checks these privileges — in this case, the solution does not detect any critical privilege combinations. Therefore, SAP NetWeaver ID Management starts provisioning Anna’s identity and role assignment to the systems she will need to access (see Figure 2).

Figure 2 Together, SAP BusinessObjects Access Control and SAP NetWeaver ID Management enable a smooth workflow that assesses and mitigates SoD risks

Now, let’s say that Anna starts working in her company’s procurement division. She’s responsible for order management and has all the necessary roles and authorizations she needs to perform her job. When Anna’s co-worker Christine, the company’s vendor manager, takes several months of parental leave, Anna’s manager decides that Anna should take over Christine’s tasks. SAP NetWeaver ID Management provides convenient self-service functionality for Anna to request the vendor master maintenance role she needs to do Christine’s job. Anna submits the request for approval (refer back to Figure 2, (1)).

SAP NetWeaver ID Management’s workflow process then sends Anna’s re quest to her manager, who approves it (2), triggering the workflow to forward the request to the Identity Center (IC) component of SAP NetWeaver ID Management. The IC checks the new roles that the request would require, analyzing whether these roles will call for a compliance check.

In this case, Anna’s request contains an ERP role, which, together with Anna’s previously assigned roles, creates a potential compliance risk. The IC therefore sends the questionable request on to the Virtual Directory Server (VDS) component of SAP NetWeaver ID Management, the virtualization layer that interfaces with SAP BusinessObjects Access Control.4 The Virtual Directory Server uses Web service technology to communicate with SAP BusinessObjects Access Control’s Compliant User Provisioning (CUP) component (3) regarding the potential risk.

SAP BusinessObjects Access Control then automatically checks the request for critical authorization combinations (4). Anna’s request does indeed contain an access risk violation — her role combination could allow her to maintain a fictitious vendor and initiate a purchase order from that vendor.

So SAP BusinessObjects Access Control automatically sends the request to the compliance officer, Peter Lawson, for review. Peter receives an email notification and opens Anna’s request to look into the is sue. The request is clearly marked with a red flag, indicating an access risk violation (see Figure 3).

Figure 3 SAP Business-Objects Access Control flags Anna’s account and details the potential risk violation

Peter simply clicks on the “Risk Analysis” button to receive a complete statement about the role combination in question and the risk it poses. Armed with this information, Peter contacts Anna’s manager and inquires about the requested role, trying to determine how it would affect business operations if he denied Anna’s request. After confirming that the role assignment is necessary to guarantee uninterrupted business and will only be needed for a limited time period, Peter decides to assign a mitigation control for the risk (5). With the click of a button, SAP BusinessObjects Access Control suggests a mitigation control: The procurement manager will monitor all vendor master changes.


A specific mitigation control can be defined for each risk at design time. A mitigation control could be an organizational measure, such as checking log files for suspicious activities, or a report scheduled to run at predefined intervals to detect and control any misuse.

With this control in place, the red flag turns green, and Peter can approve the role assignment. SAP NetWeaver ID Management then reads the risk status from CUP (6). Since the risk was mitigated and the role request approved, SAP NetWeaver ID Management automatically provisions Anna’s newly assigned role to the target systems (7) and sends out a notification to Anna and her manager about the assignment (8).

Because of the connections between SAP NetWeaver ID Management and SAP BusinessObjects Access Control, the company’s risk has been mitigated without any interruptions to business continuity.

The Compliant and Secure Power of Two

By integrating SAP NetWeaver Identity Management with SAP BusinessObjects Access Control, companies can benefit from a centralized, compliant, streamlined identity management system that increases the efficiency and security of your company’s processes.

SAP NetWeaver ID Management supports growth and business expansion through the flexible integration of internal and external users, detailed role management, and central password functionality. Adding SAP BusinessObjects Access Control provides a powerful compliance tool that kicks in whenever a conflict arises. The combination of these two solutions enables your company to remain flexible yet secure and compliant.

For more information on these two solutions and SAP’s plans for enhancing the integration between them, visit and

Regine Schimmer ( is a Solution Manager for SAP NetWeaver Identity Management. She has several years of experience with SAP security solutions and has worked on SAP Security Product Management teams at SAP AG in Walldorf and SAP Labs in Palo Alto, California. Regine has also participated in creating security awareness campaigns. She is currently part of the rollout team for SAP NetWeaver Identity Management at SAP AG in Walldorf.

Jens Koster ( is a Solution Manager for SAP NetWeaver Identity Management at SAP AG in Walldorf. Since SAP’s acquisition of MaXware, Jens has been coordinating the rollout activities around the SAP NetWeaver Identity Management solution. He joined SAP as a Technical Security Consultant in 2000. Since then, he has designed customer solutions for SAP security architectures. Jens was also engaged as a trainer and course developer for the SAP Training Center in Walldorf.

1 For more information on SAP BusinessObjects solutions for governance, risk, and compliance (GRC), visit [back]

2 See “Identity Management That’s Integrated into Your Current Business Processes: Enable Business Process Owners to Manage Access Rights and Roles” by Regine Schimmer and Jens Koster in the July-September 2009 issue of SAPinsider. [back]

3 For details on setting up a scenario in which this compliance workflow is only started if a violation is detected, please read this SDN blog. [back]

4 For more information about the Virtual Directory Server, visit [back]

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!