The SAP BusinessObjects GRC Access Control (in short AC) solution is a powerful set of tools that help to automate risk analysis and mitigation for user and authorization management in SAP and non-SAP systems. It is a strong product for the SAP ABAP world, and is able to cover non-SAP systems using real-time adapters from Greenlight. It covers a substantial subset of the overall GRC requirements – it provides a leading-edge solution for SAP environments, which are at the centre of many IT environments and is able to perform as a realtime cross-platform solution.
The core of the product suite - Risk Analysis and Remediation (RAR) - is the most valuable part and helps effectively to reduce risks in ABAP-based SAP systems - and correspondingly in the implemented business processes - mostly by the set of predefined risks delivered with the product. RAR also supports non-SAP systems in real time due to the risk definition at business process level and the mapping to technology-specific controls through a number of OEMed adapters from Greenlight. Mitigating controls need to be added per project, which is in general appropriate, but a few predefined elements would be of great help to customers. The existing guidelines and offerings from SAP such as the Customer Advisory Office can help implementing the mitigation, as there is no best practice available because of the massive customization of the role assignment processes in customer organizations.
An important aspect of AC is the possibility to automate access rights assignment with Compliant User Provisioning (CUP), since this enables real-time risk analysis of planned authorization assignments. A critical factor for success is an appropriate and intelligent definition of the workflows. There are templates and standard workflows - pre-filled with e.g. HR master data - to start from.
Role creation is the objective of the Enterprise Role Management component. It benefits from the integration with RAR and CUP, from an enterprise-wide methodology making especially naming consistent and from a capability of role mass maintenance. Detailed role creation is not the focus of ERM, experts prefer the standard transactions - which are actually supported from within ERM - or specialized non-SAP tools.
Integration with Identity Management systems is state-of-the-art, all major LDAP based directory service products are supported, as well as HR systems, including a user mapping functionality.
Finally, Superuser Privilege Management (SPM) allows to create specific IDs for short-term remediation firefighter activities requiring elevated privileges. The application is well conceived and simple to use, the emergency access through the SPM interface ensures fine-grained audit, which makes it a quick win. Yet, the privileged user concept should be developed and planned in advance. The integration with the other AC tools is limited, it does support non-SAP privileged account management through the Greenlight adapters.
