The discontinuation of SAP Identity Management (IdM) is the perfect opportunity to revisit your entire identity strategy, and improve your overall business processes, security posture, and performance. In particular, it’s a chance to look at the bigger picture and invest in an enterprise IGA solution that handles access and identity control across SAP and non-SAP applications.
We believe that for the majority of organisations full integration and the ability to see every identity through a single pane of glass is the way forward, but getting this right requires a carefully planned strategy encompassing processes, people and technology. This blog will explore why an integrated identity strategy will benefit your business and how to approach it.
Because enterprises have so many applications other than SAP to look after as it is, SAP has often been left separate and treated as a ‘black box’. Its perceived complexity, its integration challenges, and the siloed nature of SAP teams mean that it’s often left out of improvement plans.
But contrary to popular belief, SAP can absolutely be comprehensively integrated into enterprise IGA solutions. Showcasing successful case studies and highlighting vendor partnerships that improve compatibility can help dispel this assumption. But it is also important to emphasise best practices for managing customisations, provide training and resources for Identity and SAP Security teams, and promote the continuous advancement of integration technologies. By focusing on these areas, organisations can illustrate that effective integration is not only possible but also increasingly attainable.
Ultimately, the integrated approach enables benefits on a number of different fronts, including:
Cost efficiency: a consolidated approach is more cost-effective and can help unlock funding for more success in the future.
Operational efficiency: smoother experiences can improve productivity and satisfy users, without compromising security along the way.
Enhanced security posture: Cloud adoption with S/4HANA and RISE requires tighter SAP and identity integration due to a dissolving security perimeter, which is where coordination and a single source of truth can reinforce strong security measures.
Knowledge sharing: bringing SAP and Identity teams closer together allows them to pool their expertise in mutually beneficial ways.
So, what’s the best way forward for your strategy? We suggest starting with the identification of desired outcomes and necessary capabilities, and then using those to influence your solution selection process.
We recommend the following approach:
Define the endgame: work out what your future identity fabric will (or should) look like in ten to fifteen years from now.
Assess your set-up and maturity: identify the current state and necessary changes across the estate.
Agree on a direction: ensure that all teams and stakeholders buy into the overall vision, with an in-depth analysis of requirements that involves both SAP and Identity teams.
You should also consider several other important factors from a systems perspective: for example, the complexity of your SAP and non-SAP estates and what will need to be configured and migrated. It’s also worth considering the breadth and depth of integration required for all target systems; and the current security capabilities of enterprise and SAP applications to identify what needs to be augmented or integrated.
With your key outcomes and direction decided, you can then begin to work out what your integrated solution should look like in practice, ideally by focusing on the capabilities you need rather than the solutions themselves. For example:
Lifecycle management: how can you meet future lifecycle management needs in SAP across automation, cost reduction and risk removal?
Access governance: can you certify access appropriateness through a risk-based approach rather than an all-in, tick-box approach?
Authorisation management: how can you enable an appropriate role-based access concept, so that it’s an easily discoverable and requestable object in any IGA solution or IP service management solution?
Access Risk Management: how can you maintain a fundamental set of rules and permissions to control the risk of fraud, financial manipulation, access to sensitive and highly-private data, and minimise the impact?
Privileged Access Management: how can you retain some of your ABAP-based Firefighter capabilities for S/4HANA in the cloud, and control and manage other dimensions around BTP in an audited way?
You may have all or none or some of these capabilities in order to meet your future security posture needs. But either way, you need to have a clear view of and track all of them as part of your roadmap development.
From here, you can start to redefine your Identity and SAP Security teams’ roles and duties. In an ideal world, these new responsibilities should look something like this:
Identity Team |
SAP Security Team |
|
Providing support and training on the new enterprise IGA solution |
Managing all SAP roles, profiles and entitlements |
|
Sourcing integration and attribute configuration |
Managing SAP Segregation of Duties policies |
|
Monitoring and reporting |
Working with business and audit teams |
|
Coordinating with owners of non-SAP applications |
Reporting on SAP certifications and compliance |
|
|
Driving SAP RBAC modelling for the enterprise teams |
With so much to reconfigure and reconsider, this migration represents a big technological and organisational change. That means that a carefully planned migration is absolutely essential for success - and that’s where Turnkey’s expertise and an enterprise IGA solution like SailPoint’s come in.
Turnkey has 15 years of success delivering identity and access management projects, and 20 years of success with SAP projects, making us an ideal consultation and advisory partner across strategy, road mapping, vendor selection, implementation and ongoing management. With our expertise – and ability to provide a fully managed service for the new solution – we can help ensure your SAP and identity teams come together and implement the right technology and business changes for your specific long-term goals.
SailPoint’s enterprise IGA solution gives you a 360-degree view of identity, enabling full visibility of which identity has which type of access across your entire organisation from a single pane of glass. This is dovetailed by Turnkey’s end-to-end expertise in identifying organisational maturity and needs, all the way to planning and even managing implementation and the ongoing running of the new solution.
Get more in-depth expertise on building an organisation-wide identity strategy by registering for our upcoming webinar here.