Critical businesses applications are no longer confined to on-prem SAP installations, with organizations moving rapidly to cloud-based systems offered by SAP and other vendors, which means many businesses are having to rethink their access-related risk management capabilities.

For many organizations, critical systems are now found both on-prem and in the cloud. This makes it challenging to meet compliance requirements for managing risks, which typically includes managing access controls and SoD (segregation of duty) controls, as well as implementing adequate Access governance.

Organizations’ requirements for access control solutions for their business applications are consequently changing. As enterprises increasingly embrace the Software as a Service (SaaS) delivery model, they need access control solutions that cover a range of Line of Business (LoB) applications from different vendors, operating in varying delivery models.

Due to continued dependency on some SAP systems for providing an essential part of corporate IT infrastructure, enterprises need access control systems that provide deep integration with these SAP systems, but also with the growing number of SAP and non-SAP cloud-based LoB applications.

As a result, new vendors entering the market are focusing on a deeper integration of cross-system IGA (Identity Governance & Administration) and access control solutions for LoB applications. Finding the most effective and most appropriate solutions is essential in the highly competitive modern business world, but it can be challenging.

It is therefore essential for all organizations to identify accurately their access control needs and understand what is on offer in this rapidly expanding and evolving market to ensure they choose vendors that have the necessary breadth and depth of offering to meet their business requirements.

The requirements for centralized access control solutions are expanding, either by supporting a broader range of systems or by delivering adequate integration points with other solutions, including SaaS applications.

— Martin Kuppinger, Principal Analyst, KuppingerCole.

Because we understand the importance of centralized access controls for business applications, and because we are committed to helping your business succeed, KuppingerCole has a great deal of content available in a variety of formats.


To get up to speed on access control tools for emerging business application environments, have a look at the recently-published Leadership Compass on Access Control Solutions for SAP and other Business Applications, which is designed to help you find the solution that best meets your needs.

The findings of this research will be featured in a dedicated session at this year’s European Identity and Cloud (EIC) conference in Berlin.

For a broad perspective on Access Governance solutions in the context of business applications, have a look at the Leadership Compass on Identity Governance & Administration, and for a broad perspective on Access Management, have a look at the Leadership Compasses on Access Management and Privileged Access Management.

Many organizations are looking to cloud-based Identity as a Service (IDaaS) offerings due to the improved time-to-value proposition of IDaaS for traditional Identity Provisioning and Access Governance. For an analysis of this market,  a detailed evaluation of the market players, and how they related to business applications, have a look at the Leadership Compass on Identity as a Service (IDaaS) IGA.

To find out more about access controls for SAP and other business applications in the context of the “Identify Fabric” paradigm of a comprehensive set of identity services, have a look at the Leadership Compass on Identity Fabrics. However, if your organization is heavily reliant on SAP systems, also have a look at the Leadership Compass dedicated to Access Control Tools for SAP Environments.


As mentioned earlier, modern IT environments are complex. There is consequently increased security risk and compliance risk. This means that traditional approaches to Access Governance are no longer fit for purpose. A risk-based and policy-based approach is needed to reduce the cost, effort, and complexity of overseeing and enforcing access entitlements, including access reviews and recertification. To find out more, have a look at this Advisory Note entitled: Redefining Access Governance: A broader perspective.


If you would prefer to listen to what our analysts have to say on the topic of access controls for business applications, have a look at this video blog on How to Find the Right Strategy for Access Control Management and this Analyst Chat on Access policies as the Common Language for Defining Access.


For concise insights into the topic of access controls for business applications, have a look at these blog posts:


SAP systems have traditionally been a major focus area for auditors. It is therefore essential that all existing SAP systems are covered by an effective solution for managing risks. To hear more on this topic, have a look at these webinars:

It is imperative to combine IAM and governance, risk management, and compliance (GRC) in order to verify that access to critical business applications is granted correctly, without violating any policy. For more on how to improve IAM processes, have a look at this webinar on The 3 Pillars of Access Control Optimization: IAM, GRC and User Monitoring.

The purpose of an identity management system is to support access control to an organization’s sensitive systems and protected resources. To find out more about where access control systems are going, have a look at this webinar on the Evolution of Access Control.

Policy-based access control (PBAC) combines identity attributes and context variables to enable sophisticated granting of access to corporate systems and protected resources based on centrally managed policies that ensure consistent access control decisions across the enterprise. To learn more about this approach, look at this webinar entitled: Policy-Based Access Control – Consistent Across the Enterprise.

Enterprises inevitably face the challenge of managing risk and maintaining regulatory compliance across multiple and highly heterogeneous critical applications. For a perspective on a viable approach to tackling this challenge, have a look at this webinar entitled: Redefining Access Governance for Security and Fraud Prevention in Critical Applications.

While there is a constant need for businesses to continually modify, extend, and modernize their processes and business models, there is often a lack of adequate and agile data access control and management functionality. To explore this topic, have a look at this webinar entitled: Fine-Grained Policy-Based Access Control: Why & How?

Tech Investment

Organizations investing in technologies to support centralized access controls for business applications can have a look at some of the related technology solutions that we have evaluated: 

Report SAP Cloud Identity Access Governance

Soterion for SAP

SAP HANA Platform Security

SAP Data Custodian

SailPoint Access Risk Management

CSI Tools

SAST Suite by akquinet

Saviynt Security Manager for Enterprise IGA

Saviynt Enterprise Identity Cloud

PortSys Total Access Control

Thales SafeNet Trusted Access Platform