This blog was produced in partnership with SailPoint; authored by Richard Malmberg, Senior Solutions Engineer, SailPoint.
As an SAP professional, you know as well as anyone how important SAP is for your organisation. But SAP cannot function in a silo. Now more than ever, to keep key business processes operating smoothly and protect sensitive information enterprise-wide, it’s essential that SAP is better aligned with organisation-wide Identity and Access Management (IAM).
This is especially true in the current climate. As many organisations using SAP move towards a cloud-first future with S/4HANA and RISE and seek to unlock new business value by leveraging AI and a growing SaaS-based product offering, the security perimeter as we once knew it is eroding. This reality will bring SAP team’s priorities closer to those of the Identity team, although several key differences and potential conflicts between the two groups remain. In the long term, SAP teams will have to collaborate closely with the Identity teams to balance these priorities, something even the most organised businesses may find challenging.
In part two of our two-part series, we explore how Identity and SAP teams can work better together to protect their enterprise and drive performance from an SAP point of view.
The disconnect between SAP and Identity teams
SAP teams are generally tasked with focusing on that critical platform and the availability, accessibility and functionality of the modules with it. Identity teams, on the other hand, look at things from a wider security angle, wanting to keep all the organisation’s key assets safe and make it easier for the colleagues to access the applications they need, when they need it.
As a result, a significant source of friction is that identity security is just one of the things that the SAP team must juggle, while it is generally the only thing that the Identity team is concerned with. Because of this, SAP teams often end up feeling that Identity teams don’t fully comprehend all the ins and outs of SAP access and/or that they don’t have the expertise to do so. For example, SAP security involves multi-layered processes like building a role, ensuring it’s compliant and certified, and managing segregation and SoD-sensitive PII data. Identity teams, in contrast, typically won’t have the expertise to manage that process end-to-end.
This can naturally lead to SAP teams being more protective of their domain. In not wanting Identity teams to interfere with their system, the two teams end up working independently of each other. When SAP security is siloed, however, it tends to work under a different set of security practices and policies, such as multiple passwords and layers of authentication, which is at odds with the consistent approach that IAM encourages.
The benefits of working together
All is not lost. SAP and Identity teams have more in common than it might seem. Both groups play a valuable role in providing access to the business. Moreover, both rely on similar sources of truth – think HCM platforms like SAP SuccessFactors and Workday.
With SAP moving further towards the cloud and bringing in more opportunities to connect to other applications, the need for SAP and Identities teams to collaborate and avoid unmanageable complexity is growing all the time. At a basic level, working together will eliminate the risk of mismatches in identity management. But the benefits of a collaborative approach go far above and beyond this to include:
- Efficient utilisation: SAP team expertise can used more widely and deliver more value to the business overall.
- Enhanced skill base: SAP teams can gain a greater breadth of knowledge across both SAP and IAM as a whole, expanding their expertise and making them an even bigger asset within the organization and the market.
- Consolidated and consistent approach: Cost efficiency can be maximised and access provisioning made more consistent by removing any overlapping functionality.
- Improved user experiences: Every user gets a simpler access experience overall, with a single method to request access that covers everything they need, including SAP.
- Better visibility: Combining the system and strategy facilitates the creation of triggers enterprise-wide that can lock down all access for risky accounts and protect all systems and applications.
- A more successful programme: A collaborative approach allows SAP and Identity teams to tap into each other’s knowledge. It also enables Identity teams to make a more constructive contribution when they get involved with SAP.
A better relationship for better outcomes
When SAP and Identity teams come together through a consolidated, enterprise-wide IAM platform, everybody wins. The two teams work more efficiently and effectively and gain more expertise; the end-users gain a simplified and more consistent experience. To achieve this, however, both teams need to have a positive attitude and a constructive approach.
To help smooth the process of working with Identity teams, SAP teams should:
- Understand each other’s priorities. Recognise and respect each other’s knowledge, roles, and responsibilities.
- Be clear and open about each team’s challenges and pain points.
- Be proactive in raising concerns and asking questions about the collaboration.
- Explore opportunities for expanding expertise, including training or certification opportunities.
- Identify an ‘integration champion’ who can maintain and support a good working relationship between the two teams.
Remember, Identity teams respect your SAP knowledge and want you to work with a new, improved platform that upskills and automates for everyone’s benefit. By sharing a strong commitment to the partnership, you and Identity colleagues can work together to ensure your organisation has the right expertise and the right technology in the right places and reinforce your roles as enablers of better business outcomes across the enterprise.