One of the more challenging problems of identity and access management (IAM) is dealing with the dizzying array of user entitlements. Answers to simple questions such as, ‘What resources does George have access to?’ or ‘Who has access to this resource?’ are generally easy to answer. Taking the next step of inquiry and asking ‘Why does George have access to this resource?’ or ‘Do all these people really need this access to do their job?’ are where governance products add real business value.
Complex enterprise applications like SAP can be difficult to model. For example, with many applications, you have users and you have groups. Groups provide access to resources, and users are put into groups to grant access. This is fairly easy to model.
Then there’s SAP. It has groups and users, sure, but it also has clients, profiles, roles, menus and transaction codes. Then, add to the mix different inheritance rules for each of these objects. This makes trying to boil these complex relationships down to users and groups nearly impossible.
One common response that I’ve seen at organizations that I have worked with is to divide the enterprise into SAP and everything else. On the surface, this seems to make sense. But many identity and access governance (IAG) solutions don’t have rich support for SAP. Administrators from the Windows and Unix environments don’t share a common entitlement philosophies with the SAP folks, which makes the decision to keep the two worlds – SAP and non-SAP - separate that much easier. This approach drastically reduces the value of the systems in which you’ve invested. But this make it a real challenge for organizations to get a single view of a user – if it’s possible at all. This siloed data and resources situation results in redundant platforms and processes for entitlement requests. And it makes it extremely difficult to enforce controls, such as separation of duty rules, across the multiple platforms.
Our Identity Manager solution provides rich support for SAP, including all of the SAP objects. To be sure I can write that last sentence, I checked. We track 78 objects and relationships. We can inform an administrator where a profile is being used, which activities and transactions it enables, on which clients – and for which users. SAP is a first-class citizen in Identity Manager, as are all the other enterprise systems. So, you get a single view into your SAP environment, as well as the same view across all your enterprise applications. No more redundant platforms. No more duplication of effort. That sounds like you have the ability to Get IAM Right – today.
Want to learn more. Here’s a couple opportunities to engage with us:
One Identity is a sponsor at the upcoming SAPPHIRE NOW and ASUG Annual Conference taking place in Orlando, FL May 16-18. If you are attending, come by and visit One Identity at booth # 1088.
You can also join us in an online event that we’re sponsoring with KuppingerCole. Register for the webinar: Getting Identity and Access Management Right – Even If SAP Is Involved.