For many enterprises, SAP systems are an essential part of the backbone of their corporate IT infrastructure. Critical business information is stored within ERP systems, and the golden source for employee data might still be the SAP HR system. Business processes are implemented through portal solutions relying on SAP infrastructure, data is held in SAP HANA, the migration to S/4HANA is ongoing, and highly individualized functionality is coded right into the existing standard SAP modules by using ABAP or Java.
Although there are many other systems in place, which contain critical information as well, many businesses still rely on the availability of well-designed and well-protected SAP Systems. Traditionally, SAP systems are major focus area for internal and external auditors. For the successful implementation of adequate controls, it is essential that all existing SAP systems are covered by an effective solution for managing risks, and within that for managing access control and SoD controls and implementing adequate Access Governance.
On the other hand, with the overall shift to the cloud, more and more of critical business systems shift to the cloud, either to solutions provided by SAP such as SuccessFactors or Ariba, or to other vendors’ solutions. Thus, the scope for centralized access controls is expanding beyond the traditional ABAP systems, and even beyond SAP. The requirements for solutions are expanding, either by supporting a broader range of systems or by delivering adequate integration points with other solutions covering e.g. SaaS applications.
1.1 Market Segment
In this KuppingerCole Leadership Compass, we analyze solutions that support managing access controls specifically for SAP environments, but beyond the SAP Business Suite. The main focus is on delivering the depth for implementing management and controls in these environments. However, with the changing landscape of business applications, broader support for implementing controls across all critical business systems becomes also focus of our evaluation.
Thus, the segment is expanding in two directions:
- Breadth of supported environments, i.e. SAP Business Suite, SAP HANA and S/4HANA, and business applications that are provided as SaaS applications (Software as a Service) by SAP and others, with a specific focus on the SAP-provided solutions.
- Breadth of capabilities, beyond just identifying critical entitlements and SoD violations to a broader scope of mitigating access-related risks in such environments.
Furthermore, deployment models for both the managed services and the solutions are changing, with more SaaS services to manage, and deployment in different ways – as ABAP solution, with SAP Fiori user interface, or separately from SAP as web applications or even as cloud services.
The core of functionality remains in the management of access controls including critical entitlements and SoD conflicts in SAP environments. However, solutions frequently also cover additional features such as break-glass access management (firefighter, emergency access), user lifecyclce management, role optimization, and more.
The solutions span from solutions targeted at read-only analysis for audits to comprehensive suites covering a broad range of capabilities around access control and security for SAP environments.