GRC
HR
SCM
CRM
BI


Article

 

Compliant Identity Management Processes Can Do More

How to Control Authorization Usage for License Compliance

by Guido Schneider | SAPinsider, Volume 18, Issue 4

November 8, 2017

SAP’s solutions for identity management and governance, risk, and compliance (GRC) provide a powerful, integrated toolset for managing SAP accounts and authorizations. In some cases, however, users may have too many authorizations or licensing needs that exceed current agreements. Learn how using compliant identity management (CIM) practices in combination with SAP Identity Management and SAP GRC solutions enables you to better monitor authorizations and manage licensing.

Identity management is a critical component of governance, risk, and compliance (GRC) efforts. To reduce fraud and reduce audit results, companies need to ensure that proper authorizations are in place. SAP’s solutions for GRC and identity management meet this need with tight integration that allows companies to use them in concert to organize and manage their SAP accounts and authorizations.

When used together, SAP Identity Management provides the appropriate workflows for requesting and approving users while SAP Access Control checks whether expanded or changed authorizations at the user level represent a risk for the company — in other words, it performs segregation of duties (SoD) checks. For authorization changes at the user level, SAP Identity Management ensures that users receive the new authorizations required to carry out business processes.

In some cases, however, a user may be technically compliant while also having too many authorizations, including ones that the user’s role does not or no longer requires. This scenario underscores why companies should expand their compliant identity management (CIM) processes to better monitor authorization use — and better manage licensing. 

Compliant Identity Management

With CIM processes in place, if authorizations are no longer used they can be automatically withdrawn or removed from the relevant SAP roles. This type of process would also be favored by auditors because it is an automated way to keep authorizations to a reasonable number.

The same concept can also be used to ensure license compliance. Users may require different license types depending on their roles and authorizations. For example, say a user has an “SAP worker user” license, but also must be able to create sales orders. The user would need an authorization for transaction VA01, which would require an upgrade to an “SAP professional user” license. The company can use CIM to anticipate this situation and prevent noncompliance. An external software asset management (SAM) server evaluates license assignments against overall license requirements before any authorizations are changed (see Figure 1).

Figure 1 — A SAM server works with connected systems directly or via SAP Identity Management to reduce license and compliance risk


The SAM server has access to all connected systems, either directly or via the SAP Identity Management server. It handles all SAP licenses, non-SAP licenses to other vendors’ solutions, and SAP licenses for indirect SAP software use. Authorization use is monitored on the SAM server, and changes to licenses and costs are calculated and simulated promptly. If the SAM server determines that the company does not have enough SAP licenses in its inventory, the purchasing department or license manager is informed automatically. The organization will always be compliant in terms of licenses.

For more, contact me at guido.schneider@aspera.com or 1-617-307-7733, or visit our US office at 113 Braintree St., Ste. 703, in Boston.

An email has been sent to:





 

Guido Schneider

Senior Product Management Advisor, SAP
Aspera



More from SAPinsider



COMMENTS

Please log in to post a comment.

SAPinsider
FAQ