Managing access control for even a small number of users is no easy feat, but when that number reaches over 13,000 users, it becomes significantly more challenging. This situation is the everyday reality for ConocoPhillips. As one of the world’s largest independent oil and gas exploration and production companies, the business has a vast and complex network of global users requiring access to its systems. This means the enterprise must work especially hard to meet governance, risk, and compliance (GRC) requirements such as access control and segregation of duties (SoD).
To make the daunting challenge of access control dramatically more simple, ConocoPhillips began using SAP Access Control in 2009. It started with SAP Access Control 5.2 and has continuously implemented new releases of the application, culminating in its recent upgrade from version 10.0 to 10.1. Deploying any solution on such a large scale in a business will inevitably require a process of configuration and stabilization, and ConocoPhillips is no exception. The upgrade to SAP Access Control 10.1 prompted a year-long stabilization project that is typical for the business, according to Trevor Wyatt, GRC Administrator at ConocoPhillips.
“It seemed like every time we upgraded the system, certain things that were working previously were affected in moving to the latest release,” Wyatt says. “It could take months to get all those processes back to how we expected them to run.” However, due to the importance of stringent access control at ConocoPhillips, each upgrade project was a necessity the enterprise willingly undertook.
Stabilizing the System
Because stabilizing a new implementation takes time and resources, some companies delay upgrades and stay on the same release for longer than recommended. In the case of ConocoPhillips, Wyatt explains that the functionality gains of implementing newer versions were too great to pass up. Over the years, SAP added functionality and made enhancements to SAP Access Control — including greater stability and customization features — which contributed to the decision to upgrade to SAP Access Control 10.1.
Throughout this upgrade project and stabilization, the lines of communication between SAP and ConocoPhillips were kept open, as the business is heavily involved with the Customer Advisory Council for SAP Access Control and therefore accustomed to working closely with SAP to identify issues and develop solutions. Through this mutually beneficial collaboration, ConocoPhillips receives a direct line to SAP experts and is able to provide SAP with ideas and suggestions that often make their way into future releases of SAP Access Control.
By collaborating with experts from SAP and thinking creatively, ConocoPhillips was able to configure the system to suit the enterprise’s exact needs. “Some of it was trial and error, trying parameters and figuring out what worked for our specific performance or even background jobs to keep them from crashing,” he says. By diligently trying different approaches, ConocoPhillips improved its ability to schedule necessary jobs, enable emergency access management, evaluate SoD risks, and more.
Instead of taking months to get approvals, it takes minutes. That’s the idea behind keeping it simple — you don’t have the complexity, which causes risk in the workflow.
— Trevor Wyatt, GRC Administrator, ConocoPhillips
A Focus on the End User
One of the main initiatives of the SAP Access Control upgrade was to customize user interfaces. This was a new feature available in SAP Access Control 10.1 and, according to Wyatt, one of the main selling points for moving to this new release. “In configuring the user interface, we removed fields that we didn’t use or weren’t pertinent to our business and just showed users the meat of what they needed to see,” Wyatt says. “Then, we included additional help features and used some of the SAP Fiori functionality to better suit our needs.” The result was a user interface that made it significantly easier for end users to submit or process requests throughout the workflow.
Usability was further increased by the project’s minimization of workflows. Wyatt says that he always aims to keep workflows at a controllable number, both for the sake of streamlining the project as well as for the sake of making the solution easier to use. While other organizations might have hundreds of workflows within SAP Access Control, ConocoPhillips only has a handful. “In this instance, less is more,” he says. “The more workflows you have, the harder it is to troubleshoot and the more ways it could go wrong.”
And in the case of the end users, having simpler workflows means less risk. “Instead of taking months to get approvals, it takes minutes,” Wyatt says. “That’s the idea behind keeping it simple — you don’t have the complexity, which causes risk in the workflow.”
Throughout this entire upgrade and stabilization period, ConocoPhillips was highly attentive to the needs of the end users. The business provides its users with job aids, hands-on training, and in-class training, depending on their needs. Wyatt also emphasizes the importance of continuous training, especially when users don’t have a background in the technology. “It’s pretty technical; users are unlikely to get it right away. The second time is when it probably starts to sink in,” he explains. “So we definitely recommend train and train again.” By training thoroughly, ConocoPhillips was able to get thousands of users accustomed to the functionality its newly configured SAP Access Control 10.1 offered.
Obtaining Access Control Confidence
SAP Access Control 10.1 is now working seamlessly at ConocoPhillips, with no unmitigated risks and hardly any workflow issues. Some of the key benefits of this project are experienced during the audit process. The solution is heavily scrutinized by both internal and external audit, according to Wyatt, to ensure it’s working as it should. Due to that scrutiny, and because auditors have been satisfied by the success of the upgrade, there’s less work that has to be done during audit season. “As SAP Access Control gets more stable, auditors trust the system more and don’t have to dig as deep,” Wyatt says. And as an added bonus, auditors can pull information directly from the solution instead of having to request that information from the GRC team. This saves time and streamlines processes for both auditors and GRC professionals.
The biggest benefits, of course, are seen within the GRC division. After such a careful process of removing issues from the system and configuring it in the way that’s best for ConocoPhillips, the enterprise is enjoying complete trust in their access control processes. “We’re a lot more comfortable today,” Wyatt says. “We don’t have to second-guess the system performance, and we’re confident that it’s doing what we think it is. There’s a lot of reassurance in that.”
Wyatt offers some advice for other organizations looking to implement SAP Access Control: “Make sure you are configuring SAP Access Control to work for your business,” he says. “You don’t want to just go in and just start changing a bunch of parameters. You want to make sure that it’s right for your organization and aligns to your specific needs.”