Expand +



Paving the Road to Global SAP Security

Where to Start on a Complex, Enterprise-Wide Project

by Scott Osterman | SAPinsider, Volume 15, Issue 4

October 1, 2014

Globalization is changing the way businesses work, including their governance, risk, and compliance (GRC) strategies and processes. Business functions are becoming increasingly standardized, making unified access control more of a pressing need. Find out how you can combat globalization risks through careful assessments and implementation best practices.


For multinational corporations, globalizing IT systems usually requires the organization to streamline functional business processes. Sometimes overshadowed, however, can be the implications globalization has for an enterprise-wide governance, risk, and compliance (GRC) strategy.

The traditional viewpoint has held that GRC is a local or regional issue, with security platforms built to reflect this outlook. User access rules, for example, are often determined according to a business’s geographic location regardless of whether the enterprise has a single ERP instance. In many ways, this makes sense; regional regulations or security threats have until now trumped the standardization of security tools in line with harmonized business processes. 

Yet as multinationals continue to standardize functional business processes and shrink geographic boundaries, unified access control is more of a pressing need. This is true for multinational SAP customers transitioning to a single instance of SAP ERP, and for those maintaining multiple instances, yet opting to govern and manage them globally in a shared services environment.

A global security solution that can be achieved by integrating identity and access management (IAM) software with either a stand-up or upgraded SAP Access Control 10.1 provides tactical advantages that disparate security platforms cannot match.

The simple truth is that security affects every user. An organization can have the best-designed SAP functionality, but if a user cannot access it, then the functionality is all for naught.

A Shared Services Security Model

A shared services security model provides a number of benefits, namely:

  • Lower cost
  • Easier maintenance
  • Greater efficiency

It can also drive better compliance as regions are not left to their own devices for allocating necessary resources for end-to-end security. Of course, this necessitates implementing global security processes as one would for standardizing business processes. Automating and standardizing provisioning and segregation of duties (SoD) controls across the enterprise can lead to significant cost savings, not the least of which is realized by decreasing the need for IT support. Automation delivers consistent verbiage and approvals that make it easier for end users to perform tasks such as creating and approving requests.

A Starting Point for Global Security

With the myriad of complexities to consider in a journey toward a global SAP security solution, however, such a journey can be more difficult than anticipated.

Language is just one example of the complexities involved in moving to a standardized global security platform. One PwC client, for instance, requires eight languages in its platform. With several scripts, including Arabic and Chinese, and right-to-left writing, accounting for these variables makes standardization far more difficult than implementing access controls at a local level.

Recognizing these complexities, the PwC consultative approach entails an initial assessment of an organization’s entire SAP security and compliance landscape. During this assessment, it is important to look at the technology, processes, and people behind an organization’s existing approach. We analyze the entire structure from the ground up, including studying existing challenges and audit results.

This information is then used to develop a thorough roadmap for what a global SAP security solution would look like, and a strategy is devised for how best to tackle the project. This assessment is a critical first step; when a multinational might have tens of thousands of users, it really is the only way to fully understand a security model and determine how it might best be improved (see sidebar).

Achieving Security Both Locally and Globally

The global nature of business now requires businesses to augment their security programs to go beyond local concerns. A global SAP security program involves both local and global components. Local activities include:

  • Control point values
  • Role assignment approvers
  • Mitigating controls and approvers
  • Training and language support

Global components of such a program include a number of additional pieces:

  • Task-based roles and content owners
  • Control point framework
  • Risk and segregation of duties (SoD) framework
  • Governance and provisioning processes
  • Monitoring and provisioning tools
  • Executive leadership and support organization
Security vs. Functional Implementation

While the rollout of a global security solution will have different approaches depending on an organization’s requirements and overall landscape, PwC recommends that the implementation follows a standard system development lifecycle (SDLC) approach, which is the usual practice when adhering to the PwC Transform methodology. However, it’s important to note that a security implementation is different from a functional SAP deployment.

A good example of this is standardizing SoD controls and role-based security design. While the official go-live can be viewed as when these security roles move into production, the rubber really only meets the road when the roles are assigned to users, otherwise there is no impact to the user. This isn’t the same as business processes that have a more immediate impact, such as customer invoicing.

A security deployment process is easier in this regard, in that it enables a staggered rollout so that an organization doesn’t have to assume the risks of impacting user access for 50,000 users over a two-day period, for example. This phased-in, cross-functional approach affords a smoother transition to a new security platform and helps reduce the risk that something may have been missed by the business.

For many organizations, global security represents a new opportunity to design security measures that had previously taken a back seat when undergoing a functional SAP implementation. To maintain and sustain security beyond the day-one rollout, however, it is important to design and build the system not to a disparate, regional model, but to a shared services model. Building roles in a shared services model acknowledges that it’s easier to change how you assign roles to users than it is to redesign an entire role. This is how an organization can set up a global security footprint for long-term sustainment. 

In It for the Long Haul

These are the conversations we are having with clients. How do they help facilitate long-term success? Change management is one of the more important pieces of the puzzle. The simple truth is that security affects every user; an organization can have the best-designed SAP functionality, but if a user cannot access it — or, conversely, if a user who should not be able to access it does — then the functionality is all for naught. Global security affects every user in the organization, so organizational change management is a critical part of the equation.

The greatest successes we are seeing with global security projects are coming from those organizations that understand that building a unified governance model must be driven by a partnership between IT and the business, working collaboratively toward a common goal. During that initial assessment, a PwC consulting team’s active engagement with the business through a steering committee or executive sponsorship is usually an accurate predictor of success.

Where to Start

The road toward a global security solution can have many stops and starts, so having an implementation partner that understands what the finish line looks like in addition to how to get there is a great beginning. For more information, visit

An email has been sent to:


Scott Osterman
Scott Osterman

SAP Security and SAP Access Control
Practice Leader

More from SAPinsider


Please log in to post a comment.