Speed and agility are becoming critical success factors for successful companies. This is often accompanied by employee growth and the flexible deployment of specialists in a wide variety of departments and projects. In this case, IT departments can reach their capacity limits, since the assignment of users, roles and authorizations in the relevant systems is still widely based on manual process steps.
Identity Lifecycle Management is part of enterprise security and describes all processes for assigning roles and authorizations − from when an employee joins the company, through changing responsibilities or even department changes, to when he or she leaves.
SAP offers the following solutions for maintaining and managing access rights and users:
These solutions, individually or in combination, enable an efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.
Authorizations in SAP systems form the basis for identity & access management. They enable users to access the applications they need to perform their tasks. Since functional and organizational requirements are subject to change, SAP authorizations must be regularly checked and reworked. This is the only way to ensure that processes are mapped securely and completely correctly from a technical point of view.
In order to identify and minimize risks in authorizations and to assign them correctly via the SAP user lifecycle, the use of supporting solutions from identity & access management is recommended.
New employees are usually first created in HR databases such as SAP SuccessFactors or SAP HCM. Information about their functions in the company is also maintained there, for example, date of entry and membership of teams and departments. Manually provisioning the corresponding roles and authorizations for entry generates a high level of administrative effort, which can be avoided with automated Identity Lifecycle Management (ILM) or User Lifecycle Management (ULM).
Automated approval processes
Automated administration of roles and authorizations in the event of function or department changes
Automated assignment of authorizations for work groups (temporary and cross-system)
Automatic deletion of user profiles
Extensive self-services (password reset, ordering system access, etc.)
Given the triumph of cloud applications, it is no longer sufficient to manage digital identities in a single system. Authorizations and roles on the on-premise ERP system are supplemented, for example, with access to a cloud CRM system, connected project management systems such as Jira or mail services such as Gmail. Furthermore, human resources management systems such as SAP SuccessFactors must be integrated, which are often the source of all information for a digital identity.
All systems must be managed centrally and as automatically as possible, which is achieved via a central identity management system. From there, the automated provisioning of the correct roles and authorizations takes place via connectors in the connected systems, which greatly simplifies the cross-system management of identities.
Identity Lifecycle Management (ILM) or User Lifecycle Management (ULM) is part of enterprise security and describes all processes for assigning roles and authorizations − from the time an employee joins the company, through changing responsibilities or even department changes, to the time he or she leaves.
The challenges of Identity Lifecycle Management or User Lifecycle Management can best be described using the concrete example of an employee.
Let’s assume that a new employee joins a company on a certain date. His digital identity should be created before he starts work so that he has full access to the systems and applications that are important for him and his job. This means that Identity Lifecycle Management or User Lifecycle Management begins well before the employee’s first day of work, namely when the employment contract is signed.
The signing triggers the creation of a corresponding user in the user directory (LDAP, ZBV or other) and the assignment of roles and authorizations to him according to his function in the company. The roles and authorizations are then transported to the systems on the entry date (provisioning). During this step, authorizations are also granted for special project rooms in systems such as Sharepoint, Jira, Confluence, SAP Jam or other collaboration platforms.
After the employee has worked successfully in the company for some time, new opportunities arise for him through a change of department with new responsibilities. Identity Lifecycle Management or User Lifecycle Management also describes this process. New authorizations are added, access rights that are no longer necessary are withdrawn − an important part of adhering to compliance guidelines. It makes sense here to use tools that help check roles and authorizations at the push of a button and answer the question of what the employee really needs.
The employee goes through this process several times until he or she leaves the company. Now it is important to ensure that all access to systems and applications is revoked as of the effective date and that the now former employee can no longer access internal data and systems of his or her former employer.
It is advisable not to blindly rely on the correct execution of de-provisioning processes, but to carefully check their results.
The documentation of authorization assignment and the associated reporting to support audits are highly important as disciplines of Identity & Access Governance for compliance reasons. They are greatly simplified by fully automated Identity Lifecycle Management and User Lifecycle Management.
Learn how SAP Cloud Identity, Okta and One Identity can help you provision your users and authorizations to SAP and non-SAP systems compared to SAP Identity Management. Watch the 3rd SECMENDO Online Conference.
In October 2020, we reported on User Lifecycle Management processes in hybrid SAP landscapes at our 2nd SECMENDO Online Conference.
With the 1st SECMENDO Online Conference we have created an event that focuses on Identity & Access Management in SAP landscapes and shows participants how to increase security and productivity in their systems.
Identity & Access Management solutions, individually or in combination, enable efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.
Authorizations in SAP systems grant users access to the applications they need to perform their activities. In order to map the processes securely and correctly, SAP authorizations must be subject to regular control and post-processing.
The tools of the SECMENDO product suite extend the capabilities of existing SAP Identity & Access Management (IAM) solutions. The goals are an improved user experience, enhanced functionality and more efficient processes.
Complete the form to arrange an initial informational meeting with our experts.
We look forward to receiving your inquiry.