1 Introduction / Executive Summary
For many enterprises, SAP systems are an essential part of the backbone of their corporate IT infrastructure. Critical business information is stored within ERP systems, and the golden source for employee data might still be the SAP HR system. Business processes are implemented through portal solutions relying on SAP infrastructure. Data is held in SAP HANA; the migration to S/4HANA is ongoing, and highly individualized functionality is coded right into the existing standard SAP modules by using ABAP or Java.
Although there are many other systems in place which contain critical information as well, many businesses still rely on the availability of well-designed and well-protected SAP Systems. Traditionally, SAP systems are a major focus area for internal and external auditors. For the successful implementation of adequate controls, it is essential that all existing SAP systems are covered by an effective solution for managing risks, and within that for managing access control and SoD controls and implementing adequate Access Governance.
On the other hand, more and more of critical business systems are following the trend of shifting to the cloud, either to solutions provided by SAP such as SuccessFactors or Ariba, or to other vendors' solutions. Thus, the scope for centralized access controls is expanding beyond the traditional ABAP systems and even beyond SAP. The requirements for solutions are expanding, either by supporting a broader range of systems or by delivering adequate integration points with other solutions covering, e.g., SaaS applications.
This is reflected in this Leadership Compass, where deep support for both SAP environments and other vendor's business applications is in focus. We will also focus on a broader range of supported deployment models, with preference for deployments that include as-a-service models.
- The customer requirements for access control solutions for their business applications are changing rapidly in the context of the journey towards SaaS services, with many organizations needing solutions that cover a range of Line of Business (LoB) applications from different vendors, operated in varying models
- Several customers continue to focus on their traditional SAP environments, with the SAP department being the buyer, looking for deep integration into these environments and familiar user interfaces
- We expect the trend towards supporting a broader range of LoB applications to continue, within SAP's own portfolio, e.g., SuccessFactors, and beyond
- New entrants to the market focus on a deeper integration of cross-system IGA (Identity Governance & Administration), and access control solutions for LoB applications, putting pressure on established vendors
- The number of vendors being backed by Venture Capital or Private Equity has increased significantly, fostering innovation and competition
- For non-SAP solutions, the long-standing experience regarding best practice role models, critical access rule sets, and SoD (Segregation of Duty) role sets is still lacking at most vendors; thus, few are already delivering the depth of support they provide for SAP ECC, and customers should carefully evaluate in their PoCs whether support for other systems delivers on their expectations and requirements
- AI (Artificial Intelligence) and ML (Machine Learning) are gaining momentum quickly, supporting leading solutions in better analytics and recommendations
- Overall Leaders are (in alphabetical order) Appsian, Pathlock, SailPoint, SAP, Saviynt
- Product Leaders are (in alphabetical order) Appsian, CSI tools, Pathlock, SailPoint, SAP, Saviynt, and SIVIS
- Innovation Leaders are (in alphabetical order) Akquinet, Appsian, CSI tools, Pathlock, SailPoint, SAP, Saviynt, SIVIS, and Soterion