Leadership Compass

Access Control Solutions for SAP and other Business Applications

This report provides an overview of the market for Access Control Tools for the emerging business application environments, encompassing SAP, but also a growing number of other business applications, and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing solutions that increase security in these business application environments for SAP and beyond, by restricting access, controlling break-glass access, and related capabilities.

Martin Kuppinger


1 Introduction / Executive Summary

For many enterprises, SAP systems are an essential part of the backbone of their corporate IT infrastructure. Critical business information is stored within ERP systems, and the golden source for employee data might still be the SAP HR system. Business processes are implemented through portal solutions relying on SAP infrastructure. Data is held in SAP HANA; the migration to S/4HANA is ongoing, and highly individualized functionality is coded right into the existing standard SAP modules by using ABAP or Java.

Although there are many other systems in place which contain critical information as well, many businesses still rely on the availability of well-designed and well-protected SAP Systems. Traditionally, SAP systems are a major focus area for internal and external auditors. For the successful implementation of adequate controls, it is essential that all existing SAP systems are covered by an effective solution for managing risks, and within that for managing access control and SoD controls and implementing adequate Access Governance.

On the other hand, more and more of critical business systems are following the trend of shifting to the cloud, either to solutions provided by SAP such as SuccessFactors or Ariba, or to other vendors' solutions. Thus, the scope for centralized access controls is expanding beyond the traditional ABAP systems and even beyond SAP. The requirements for solutions are expanding, either by supporting a broader range of systems or by delivering adequate integration points with other solutions covering, e.g., SaaS applications.

This is reflected in this Leadership Compass, where deep support for both SAP environments and other vendor's business applications is in focus. We will also focus on a broader range of supported deployment models, with preference for deployments that include as-a-service models.

1.1 Highlights

  • The customer requirements for access control solutions for their business applications are changing rapidly in the context of the journey towards SaaS services, with many organizations needing solutions that cover a range of Line of Business (LoB) applications from different vendors, operated in varying models
  • Several customers continue to focus on their traditional SAP environments, with the SAP department being the buyer, looking for deep integration into these environments and familiar user interfaces
  • We expect the trend towards supporting a broader range of LoB applications to continue, within SAP's own portfolio, e.g., SuccessFactors, and beyond
  • New entrants to the market focus on a deeper integration of cross-system IGA (Identity Governance & Administration), and access control solutions for LoB applications, putting pressure on established vendors
  • The number of vendors being backed by Venture Capital or Private Equity has increased significantly, fostering innovation and competition
  • For non-SAP solutions, the long-standing experience regarding best practice role models, critical access rule sets, and SoD (Segregation of Duty) role sets is still lacking at most vendors; thus, few are already delivering the depth of support they provide for SAP ECC, and customers should carefully evaluate in their PoCs whether support for other systems delivers on their expectations and requirements
  • AI (Artificial Intelligence) and ML (Machine Learning) are gaining momentum quickly, supporting leading solutions in better analytics and recommendations
  • Overall Leaders are (in alphabetical order) Appsian, Pathlock, SailPoint, SAP, Saviynt
  • Product Leaders are (in alphabetical order) Appsian, CSI tools, Pathlock, SailPoint, SAP, Saviynt, and SIVIS
  • Innovation Leaders are (in alphabetical order) Akquinet, Appsian, CSI tools, Pathlock, SailPoint, SAP, Saviynt, SIVIS, and Soterion

1.2 Market Segment

In this KuppingerCole Leadership Compass, we analyze solutions that support managing access controls specifically for SAP environments and other vendor's business applications or LoBs (Line of Business applications). The main focus is on delivering the depth for implementing management and controls across these environments. With the changing landscape of business applications, broader support for implementing controls across all critical business systems has become a focus of our evaluation.

Thus, the segment is expanding in two directions:

  • Breadth of supported environments, e.g., SAP Business Suite, SAP HANA and S/4HANA, and business applications that are provided as SaaS applications (Software as a Service) by SAP as well as by other vendors such as Workday, Salesforce, Microsoft, Oracle, and many others, with the expectation that solutions deliver strong support for SAP environments, but also support the broadening range of LoBs in use by organizations.
  • Breadth of capabilities, beyond just identifying critical entitlements and SoD violations to a broader scope of mitigating access-related risks in such environments.

Furthermore, deployment models for both the managed services and the solutions are changing, with more SaaS services to manage, and deployment in different ways – as ABAP solution, with SAP Fiori user interface, or separately from SAP as web applications or, becoming the new standard, as SaaS services.

The core of functionality remains in the management of access controls including critical entitlements and SoD conflicts in SAP and other LoB environments. However, solutions frequently also cover additional features such as break-glass access management (firefighter, emergency access), user lifecycle management, role optimization, and more.

The solutions span from solutions targeted at read-only analysis for audits of SAP core systems to comprehensive suites covering a broad range of capabilities around access control and security for a heterogenous set of LoB solutions, including SAP solutions.

1.3 Delivery Models

We did not restrict our analysis in this Leadership Compass regarding the delivery models. We currently find a broad range of implementation models, from pure-play ABAP solutions to ones having a Fiori app added to full SaaS services, but also some SaaS services that integrate with ABAP modules back to SAP. While the trend is towards SaaS solutions, we have covered all types of deployment models in this report.

Generally speaking, our focus in rating is on a maximum flexibility for customers. There are advantages and disadvantages of all approaches. A full integration as ABAP solution is great for supporting the traditional SAP environments, but comes to its limits in supporting other vendor's SaaS solutions. Although, while the user interface still might be favored by experienced SAP users, many users – including experienced SAP users – nowadays prefer modern user experiences.

Fiori as user interface is something some that are familiar with SAP environments might prefer, while others might prefer other web UIs, not limited to the Fiori UX (user experience) paradigms.

Solutions that run separately from SAP environments are better suited for supporting SaaS services and applications beyond SAP solutions. Some of these also excel in user experience, based on modern UIs with high usability.

It depends on the current and future scope of applications to manage, and on the features in focus, which of the various delivery models is best suited for whom. However, the tendency appears clear: Away from traditional ABAP, towards modern user experience, supporting the increasingly heterogeneous business application infrastructure, and being delivered as SaaS.

Factually, solutions can be grouped into four types:

In this market segment, we find a range of solutions with varying scope and different deployment models.
Figure 9: In this market segment, we find a range of solutions with varying scope and different deployment models.

Solutions can run in the SAP ecosystem or outside of it, the latter commonly being deployed as SaaS. They can focus on SAP only or extend beyond that ecosystem. The number of vendors that stick to a SAP-only approach has decreased significantly since the previous edition, with most vendors including SAP adding interfaces and support for non-SAP LoB solutions.

1.4 Required Capabilities

Due to the variety of capabilities provided by the solutions that are currently offered, but also with respect to the changing environments, there is a broad set of capabilities we are looking for, split into baseline capabilities and advanced capabilities. The baseline capabilities dominate the rating, with other capabilities adding to this.

The exception is broad support for systems, beyond the traditional SAP Business Suite. The breadth of support of LoB applications beyond the traditional SAP scope has high impact on our ratings, given the fact that we see increasing demand and strategic changes in the way business system environments look like.

Baseline capabilities we are looking for:

  • Flexible deployment models, including as-a-service deployments
  • Support for all major SAP systems and versions
  • Support for other vendor's business applications
  • Analysis of the current status of entitlements/roles at all levels, from transactions to business roles, including Access Risk Analysis
  • Role and entitlement management
  • Access management, i.e., assignment of entitlements (Access Management)
  • SAP super-user management and privileged user management for other LoB solutions (see below)
  • Identity Lifecycle Management for the target applications, i.e. creating and managing accounts (User Management)
  • SAP Firefighter capabilities, and ideally emergency access management for other LoB applications (see below)
  • SoD controls management, check, and enforcement across all supported systems
  • Central Reporting and Dashboarding
  • Access Review support

Advanced capabilities we are interested in seeing as part of these products:

  • Support for hybrid deployment models or pure SaaS deployment
  • Automated role optimization
  • Support for non-ABAP systems
  • Support for SAP cloud solutions such as SAP Hybris, SAP Customer Cloud, Concur, Ariba, SuccessFactors, etc.
  • Support for non-SAP business applications, both on premises and SaaS, including Enterprise Service Management solutions such as ServiceNow and Jira
  • Go-Life support for SAP systems (specifically S/4HANA) with focus on entitlements, i.e. transferring entitlements
  • Password Self Service and Single Sign-On
  • Integration capabilities to cross-plattform IGA solutions (covering non-SAP-systems for both Identity Lifecycle Management and Access Governance)
  • Auditor support and run-time execution for audits
  • Support for specifics of platforms such as SAP BI, S/4HANA, and SAP HANA In Memory Database
  • Super user management for other business applications
  • Firefighter capabilities for other business applications
  • System hardening capabilities
  • Capabilities for managing exports and transfers of critical data, such as HR data

Inclusion criteria:

  • Solutions covering all or most of the baseline capabilities
  • All deployment models – solutions can run on premises as ABAP applications, on premises in other models, hybrid, or as SaaS applications
  • Solutions covering only SAP environments
  • Solutions not covering SAP environments, if these support a range of other business applications

Exclusion criteria:

  • Solutions that only cover singular baseline capabilities such as Firefighter access for SAP only
  • Solutions that are targeted on read-only analysis of entitlements and risk analysis for auditors, but don't support active management of users and entitlements
  • Solutions that don't support the entire depth of entitlement/roles at all levels, i.e. solutions that e.g. only can assign users to SAP business roles but can't manage entitlements of such roles

We've reached out to a large number of vendors for providing a comprehensive overview of the current state of the market. Picking the right vendor finally always will depend on your specific requirements and your current and future landscape that must be managed.

Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.