This blog is an update to an earlier post: Achieve Seamless, Efficient SAP GRC Access Control Operations through Managed Services.
As organizations transition to SAP S/4HANA and SAP cloud solutions, they often discover that GRC capabilities and processes also need to be updated on a more frequent basis. One example of a continuously changing dataset is the segregation of duties (SoD) ruleset. With S/4HANA, the GRC ruleset now supports monitoring many new access types including Fiori apps and HANA database access. While an implementation or upgrade project would typically include the relevant set of Fiori apps in the ruleset at a specific point in time, the continued effort of keeping the ruleset up to date with newly implemented Fiori apps is equally important. Additionally, as the landscape shifts to cloud applications, there’s an increasing need to integrate existing security and access governance processes via add-on solutions like SAP IAG Bridge. Ongoing specialized activities such as these and more are required to support and manage this evolving landscape and can be efficiently performed by a GRC Managed Service provider.
What is GRC Managed Services?
GRC Managed Services provides a specialized workforce that can perform strategic activities and initiatives. In addition to identifying and deploying incremental changes on demand, GRC Managed Services can perform many ongoing operational activities such as managing daily or periodic GRC reporting and ongoing monitoring of key performance metrics. The improved data availability in HANA based applications helps enable these frequent reporting activities, but for many organizations, having a GRC administration resource pool dedicated to these types of activities is not feasible, or simply not necessary as an outsourced managed services team can provide greater value and drive efficiency through specialized skillsets.
SoD and sensitive access management
The day-to-day operations of access risk analysis (ARA) varies from one organization to another. However, there is a common theme of reporting risk analysis results periodically while helping executives and reviewers interpret the issues in business context to ensure appropriate risk remediation or mitigation of the risks. SAP GRC applications ship with a handful of dashboards but occasionally, it is necessary to leverage data visualization software like Power BI or Tableau to create custom visualizations tailored to an organization’s needs.
A few other key daily or periodic activities related to risk analysis are:
- Monitoring synchronization and batch risk analysis jobs
- On-demand ruleset updates, including new Fiori apps and custom transaction to the ruleset
- Optimizing risk analysis results by maintaining exclude objects and critical roles / profiles
- Continued remediation and mitigation efforts to improve security compliance
- Ensuring optimum performance through periodic clean-up jobs and appropriate system usage
Example: Access risk dashboards
Emergency access management
Also known as the firefighter module, emergency access management (EAM) can mostly be set to autopilot through firefighter access provisioning and firefighter log review workflows. A managed services team can be leveraged to provide:
- Proper master data maintenance to support the workflows
- On-call support to address or workaround any unexpected errors
- Supervision of workflow SLAs and follow ups as needed
- Trend analysis reviews and optimization of firefighter usage
- Monitoring of EAM background jobs
- Ensuring log review workflows are completed timely
Example: firefighter access and usage dashboards
User provisioning and role management
Access request management (ARM) workflows facilitate a compliant SAP user access request process and automated provisioning of access. While business role management (BRM) has its own workflow and methodologies for role maintenance, it is more commonly used as the technical and business role repository to support ARM workflows. A managed services team can help implement and optimize ARM and BRM functional scope based on the organization’s needs and complexity. Once implemented, the key tasks of a GRC managed services team might include:
- Maintaining an up to date BRM library, including new business roles
- Providing trend analysis and optimization of workflow usage
- Addressing workflow enhancement / optimization needs
- Monitoring background jobs and active workflow instances
User access review and SoD review
The successful execution of key periodic review rounds is one of the most important responsibilities for a GRC managed services team. SAP GRC offers two automated workflows that address the periodic SAP user access review (UAR) and SoD and sensitive access review (SoDR) needs, which are typically executed at least semi-annually. After sending the review requests to the reviewers through GRC, the team would typically perform the following activities:
- Daily monitoring of review completions, including providing technical support to the reviewers
- Managing rejected request items
- Scheduling timely reminder emails
- Managing escalations
- Ensuring appropriateness of UAR decisions made by the reviewers
- Identifying and executing optimal SoD resolution based on reviewer input
Putting it all together
In addition to GRC Access Control specific tasks noted above, support pack upgrades, resolving newly identified bugs, evaluating and solutioning new functional requirements, ensuring up-to-date user training materials based on functionality or process enhancement, etc., can lead to IT support bottlenecks or unforeseen consulting costs. Protiviti’s GRC Managed Services are designed to address such needs cost-effectively, enabled by a team with years of GRC implementation and support experience. The service model is scalable and flexible to be customized based on customer-specific needs. Team operations are driven by KPIs ensuring optimum cost and integration with the clients’ overall IT support model.
The service incorporates Power BI and Tableau dashboards to supplement the default dashboards and enables ongoing KPI monitoring, with existing visualizations for over 40 GRC access control KPIs. These dashboards can be custom tailored to existing needs and encourage interaction so each user can filter and focus on the data needed to drive action.
Example: GRC access control KPIs
To learn more about our SAP capabilities, contact us.