Leadership Compass

Access Control Tools for SAP Environments

This report provides an overview of the market for Access Control Tools for SAP Environments and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing solutions that increase security in SAP Environments by restricting access, controlling break-glass access, and related capabilities.

Martin Kuppinger

mk@kuppingercole.com

1 Introduction

For many enterprises, SAP systems are an essential part of the backbone of their corporate IT infrastructure. Critical business information is stored within ERP systems, and the golden source for employee data might still be the SAP HR system. Business processes are implemented through portal solutions relying on SAP infrastructure, data is held in SAP HANA, the migration to S/4HANA is ongoing, and highly individualized functionality is coded right into the existing standard SAP modules by using ABAP or Java.

Although there are many other systems in place, which contain critical information as well, many businesses still rely on the availability of well-designed and well-protected SAP Systems. Traditionally, SAP systems are major focus area for internal and external auditors. For the successful implementation of adequate controls, it is essential that all existing SAP systems are covered by an effective solution for managing risks, and within that for managing access control and SoD controls and implementing adequate Access Governance.

On the other hand, with the overall shift to the cloud, more and more of critical business systems shift to the cloud, either to solutions provided by SAP such as SuccessFactors or Ariba, or to other vendors’ solutions. Thus, the scope for centralized access controls is expanding beyond the traditional ABAP systems, and even beyond SAP. The requirements for solutions are expanding, either by supporting a broader range of systems or by delivering adequate integration points with other solutions covering e.g. SaaS applications.

1.1 Market Segment

In this KuppingerCole Leadership Compass, we analyze solutions that support managing access controls specifically for SAP environments, but beyond the SAP Business Suite. The main focus is on delivering the depth for implementing management and controls in these environments. However, with the changing landscape of business applications, broader support for implementing controls across all critical business systems becomes also focus of our evaluation.

Thus, the segment is expanding in two directions:

  • Breadth of supported environments, i.e. SAP Business Suite, SAP HANA and S/4HANA, and business applications that are provided as SaaS applications (Software as a Service) by SAP and others, with a specific focus on the SAP-provided solutions.
  • Breadth of capabilities, beyond just identifying critical entitlements and SoD violations to a broader scope of mitigating access-related risks in such environments.

Furthermore, deployment models for both the managed services and the solutions are changing, with more SaaS services to manage, and deployment in different ways – as ABAP solution, with SAP Fiori user interface, or separately from SAP as web applications or even as cloud services.

The core of functionality remains in the management of access controls including critical entitlements and SoD conflicts in SAP environments. However, solutions frequently also cover additional features such as break-glass access management (firefighter, emergency access), user lifecyclce management, role optimization, and more.

The solutions span from solutions targeted at read-only analysis for audits to comprehensive suites covering a broad range of capabilities around access control and security for SAP environments.

1.2 Delivery models

We did not restrict our analysis in this Leadership Compass regarding the delivery models. While most solutions still run within the SAP environment or as separate on premises application, some vendors already provide managed service models and cloud services.

Generally speaking, our focus in rating is on a maximum flexibility for customers. There are advantages and disadvantages of all approaches. A full integration as ABAP solution is great for supporting the traditional SAP environments, but comes to its limits regarding new types of solutions. Also, the user interface still might be favored by experienced SAP users.

Fiori as user interface is something many others that are familiar with SAP environments might prefer, while others might prefer other web UIs, not limited to the Fiori UX (user experience) paradigms.

Solutions that run separately from SAP environments are better suited for supporting SaaS services and applications beyond SAP solutions. Some of these also excel in user experience, based on modern UIs with high usability.

It depends on the current and future scope of applications to manage, and on the features in focus, which of the various delivery models is best suited for whom. However, the tendency appears clear: Away from traditional ABAP, towards modern user experience, supporting the increasingly heterogeneous business application infrastructure.

1.3 Required capabilities

Due to the variety of capabilities provided by the solutions that are currently offered, but also with respect to the changing environments, there is a broad set of capabilities we are looking for, split into baseline capabilities and advanced capabilities. The baseline capabilities dominate the rating, with other capabilities adding to this.

The exception is broad support for systems, beyond the traditional SAP Business Suite, which is rated high, given the fact that we see increasing demand and strategic changes in the way business system environments look like.

Baseline capabilities we are looking for:

  • Analysis of the current status of entitlements/roles at all levels, from transactions to business roles, including Access Risk Analysis
  • Role and entitlement management
  • Access management, i.e. assignment of entitlements (Access Management)
  • SAP super-user management
  • Identity Lifecycle Management for the target applications, i.e. creating and managing accounts (User Management)
  • SAP Firefighter capabilities
  • SoD controls management, check, and enforcement
  • Central Reporting and Dashboarding
  • Access Review support

Advanced capabilities we are interested in seeing as part of these products:

  • Support for hybrid deployment models or pure SaaS deployment
  • Automated role optimization
  • Support for non-ABAP systems
  • Support for SAP cloud solutions such as SAP Hybris, SAP Customer Cloud, Concur, Ariba, SuccessFactors, etc.
  • Support for non-SAP business applications, both on premises and SaaS
  • Go-Life support for SAP systems with focus on entitlements, i.e. transferring entitlements
  • Password Self Service and Single Sign-On
  • Integration capabilities to cross-plattform IGA solutions (covering non SAP-systems for both Identity Lifecycle Management and Access Governance)
  • Auditor support and run-time execution for audits
  • Support for specifics of platforms such as SAP BI, S/4HANA, and SAP HANA In Memory Database

Inclusion criteria:

  • Solutions covering all or most of the baseline capabilities
  • All deployment models – solutions can run on premises as ABAP applications, on premises in other models, hybrid, or as SaaS applications

Exclusion criteria:

  • Solutions that only cover singular baseline capabilities such as Firefighter access only
  • Solutions that are targeted on read-only analysis of entitlements and risk analysis for auditors, but don’t support active management of users and entitlements
  • Solutions that don’t support the entire depth of entitlement/roles at all levels, i.e. solutions that e.g. only can assign users to SAP business roles but can’t manage entitlements of such roles

We’ve reached out to a large number of vendors for providing a comprehensive overview of the current state of the market. Picking the right vendor finally always will depend on your specific requirements and your current and future landscape that must be managed.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.