IAM and SAP Integration: What Identity teams need to know to work better with SAP teams

This blog was produced in partnership with SailPoint; authored by Richard Malmberg, Senior Solutions Engineer, SailPoint.

Good integration between Identity and Access Management (IAM) and SAP boosts operational efficiency, improves user experiences, and reduces the risk of cybercrime. But for many organisations, it’s easier said than done. Achieving this means creating a shared understanding of the mutual benefits of collaboration and balancing the priorities of Identity amidst the different demands of the SAP team.

But how do you get there?

In part one of our two-part series, we explore how Identity and SAP teams can work better together to protect their enterprise and drive performance from an Identity point of view.

The disconnect between Identity and SAP teams

First, it’s important to understand the differences in each team’s responsibilities. The Identity team is generally focused on keeping all the assets within an organisation safe, some of which will be housed within the SAP environment. The SAP team, on the other hand, has a remit that includes security but goes far beyond it to include the availability, accessibility, and functionality of the SAP platform for most users.

This disconnect can lead to friction. For example, when Identity teams try to engage with SAP teams, SAP teams are often reticent, or worse, resistant. SAP teams don’t want their normal operations interfered with by those who don’t understand all of SAP’s complexities and challenges. Separately, SAP teams may also feel to a certain extent that if the Identity team gets too involved, then their own jobs may be rendered obsolete.

While SAP teams are right that their Identity colleagues don’t always have the knowledge around compliance, certification, segregation, SoD-sensitive PII data and so on, they must realise it’s because Identity teams don’t necessarily need to. This illustrates why a shared understanding of each team’s roles and responsibilities matters. Without it, SAP security ends up siloed from everything else, leading to a disjointed and inconsistent approach across the organisation that flies in the face of the principles of IAM.

Why Identity and SAP teams should work together

Identity and SAP teams need to work in harmony. The good news is that there’s more overlap between the demands of each teams than meets the eye.

For starters, both teams are focused on providing access to the business, often relying on the same sources of truth, such as HCM platforms like SAP SuccessFactors and Workday. At the same time, with SAP introducing more flexibility to connect to other applications, things are becoming more complex from an identity security perspective. Only if the two teams come together and converge upon one overarching solution can mismatches in identity management be avoided.

But it shouldn’t stop there. By collaborating on an ongoing basis, Identity and SAP can achieve so much more. Together, they can achieve:

• A consolidated, cost-efficient approach: Bringing the two teams together creates cost efficiency by removing any overlapping functionality. It can also make access provisioning much more efficient and consistent across the organisation.
• Improved user experiences: A single approach to access provisioning simplifies things for users, who can then request one role through one method and get access to everything they need, including SAP.
• Better visibility: A combined system and strategy make it easier to create triggers that lock access for risky accounts across all systems and applications, which is simpler and faster than doing so for separate systems.
• Unlocked funding: Only having to fund one identity solution rather than two frees up funding that the Identity team can utilise. Further budget can be unlocked by demonstrating efficiency to the CFO and reducing the risk of negative audit findings.
• A more successful programme: By working in harmony and utilising each other’s skills, it becomes far easier for the Identity team to tap into SAP team knowledge and move into the SAP space, often considered the crown jewels of an organisation, for better management and utilisation.

How to foster a better relationship 

A joined-up and collaborative approach to SAP and identity, especially through a consolidated, enterprise-wide IAM platform, is ideal for getting the best of both worlds for the teams involved and the end-users across the organisation. But this is about more than just technology. It requires both teams to come in with a positive and proactive mindset toward a single identity solution.

To help get SAP teams on board, Identity teams should:

• Facilitate clear and open discussion around the key challenges and pain points of each team.
• Listen to SAP team concerns and demonstrate how you want to work alongside them – leveraging their expertise without usurping their positions.
• Emphasise upskilling by offering training and support and clarify any queries about certifications.
• Demonstrate how the SAP team can drive more benefit for the business as a whole through a more collaborative approach.
• Nominate an ‘integration champion’ to support a better relationship between the teams and facilitate discussions.

Ultimately, the best convergence of identity and SAP involves the right expertise in the right places, a strong commitment to partnership, and the use of the right technology. This allows both Identity and SAP teams to be business enablers, contributing to better outcomes across the organisation.

Find out more about how Identity and SAP teams can work together to future-proof IAM for your SAP systems during our upcoming webinar. Sign up here.