SAP Cloud Identity Access Governance: What’s Going On at SAPinsider

The 2019 GRC, BI/Analytics and Finance SAPinsider Conferences took place in mid-March in Las Vegas. Our SAP teams spent time attending conference sessions, and their observations on what’s trending across the industry are compiled here in the first of a post-conference series.

During the 2019 conference, I talked with a number of customers who were unsure how SAP Cloud Identity Access Governance (IAG) fits within the bigger picture. Does it replace SAP GRC Access Controls? What if you are currently on GRC Access Controls 10.1 or 12.0? Do I need both GRC AC and IAG? In this blog post, I will address some of the confusion and talk through some of the major considerations with SAP IAG.

Much like the general trend that has everything moving to the cloud, GRC is now moving to the cloud, too! As a brief overview, IAG is a new GRC product that is offering identity and access management capabilities such as:

  • Access Analysis: analyze access issues like SoD conflicts or sensitive access
  • Role Design: ability to manage and create compliant business roles
  • Access Request: provisioning compliant user access to various on-premise and cloud applications
  • Access Certification*: manage periodic access reviews for on-premise and cloud applications
  • Privilege Access Management*: administer privileged or Firefighter accounts in a controlled manner

*future functionality as of the publication date of this post

At first glance, IAG provides the same functionality as GRC AC with equivalents to GRC functions like ARA, BRM, ARM, UAR, and EAM. While not an exact apples-to-apples comparison, IAG technically provides similar functionality as GRC AC. However, there are new functions only found in IAG such as native connectivity to SAP on-premise and cloud applications like Ariba, Concur, SuccessFactors, etc., and smarter intelligence tools like role cluster analysis for aiding business role design or automated SoD remediation proposals based on criteria like transaction usage and risk criticality.

IAG can also extend GRC 12.0 abilities like connectivity to SAP cloud applications. Through a concept called “IAG Bridge,” IAG can facilitate connections to applications that were not readily available with GRC 12.0. In this hybrid with both GRC 12.0 and IAG, this approach offers the flexibility and customization with GRC 12.0 and the connectivity to cloud applications with IAG.

Now the decision becomes harder on what path to take: Do you need IAG for the ability to connect to cloud applications or access to new functions? Could just IAG alone fulfill your GRC requirements for your on-premise and cloud applications? Or do you need both GRC AC and IAG for the best of both worlds?

(Credit: SAPinsider) One possible GRC landscape using a hybrid approach.

Clear as mud? For some, the requirements are clear, but confusion still persists on what approach to take. A few other considerations to help make your decision:

  • For current GRC AC customers, switching completely to IAG is not necessary in order to access the key feature – the ability to connect to SAP cloud services. In this case, extending your current GRC capabilities via the IAG bridge approach may be better suited to maximize coverage.
  • For new customers looking for a GRC solution, IAG may be quicker to deploy versus the prerequisites involved with an on-premise solution.
  • Companies needing significant flexibility and customization to meet complex organization and compliance requirements – then GRC AC may fit your needs better.

There’s lots to consider with pros and cons to each option. In this ever-changing compliance landscape, GRC and IAG can now address current compliance needs and the needs of the future.

Interested in learning more? Visit Protiviti’s booth 1416 at SAPPHIRE NOW® – May 7-9 in Orlando.

Roger Zhang

Senior Consultant
Technology Consulting – Enterprise Application Solutions