Webinar Recording
Getting Identity and Access Management Right – Even If SAP Is Involved
Implementing Identity and Access Management universally across multiple IT infrastructures and software platforms is a major challenge for any organization. To do their daily job successfully, users today expect to get access to information they need from anywhere at any time, regardless of the target system or application. IT departments are struggling to make this access frictionless for users yet maintain compliance with corporate and government-imposed security and privacy regulations. This task is even more complicated if business-critical platforms like SAP are involved – not only SAP has its own security and access governance requirements, it is usually managed by a completely separate team from the one responsible for enterprise-wide IAM program.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar, getting identity and access management ride. Even if SAP is involved, this webinar is supported by one identity. The speakers today are Alexei Pinto, who is senior product manager at one identity. And me Martin Kuppinger I'm CEO, founder, and principal Analyst at co a coal. Before we start some quick information about keeping a coal and some housekeeping information, keeping a coal is an independent Analyst organization. We have been founded back in 2004, and we are offering neutral advice, expertise, or leadership and practical relevance in various fields, particular in particular around information security, with a strong history and emphasis on the identity management field. We do research such as our leadership compass documents, where we'll publish a couple in the next few weeks events. I'll talk about this in a minute and advisory services. So we provide neutral advisory services for strategy development, roadmap, tools, choice, and other areas.
When it comes to events, we have a couple of upcoming events. So we, on one hand, we'll do the consumer identity world tour. We did a consumer identity event last year in Paris. And this year we will do three one in Seattle and September one in Paris, November one in Singapore and December. Then we will do a marketing executive summit focusing on marketing automation and the relationship between consumer identity and marketing automation next year in February in Germany and the digital finance world, looking at PST two and other areas. So all the changes in the finance world and many of them, again, related to information security next year, end of February, early March, again in Germany. So some guidelines for the webinar, you are muted centrally. You don't have to mute around yourself. We are controlling these features. We are recording the webinar and we will publish the recording probably latest tomorrow.
And there will be a Q and a session at the end. So you can answer questions at any time, always by that suggestion that you answer the questions earlier so that we have a good list of questions available by the end of the webinar. So let's have a look at the agenda. It's usually there is three parts in the first part, I'll talk about enterprise at anti management, what it should comprise and what to consider when integrating the SAP environment. I, in particular, we look at also so how to make your project success, how to make it, get it done in general and together with when you use, when you have to integrate SAP environments. The second part that Alexei bento will talk about an approach towards getting IM right across the enterprise, including SAP, the third part. Then as I've said, we will do the Q and a session.
So if you have questions, trust, enter them once they come to your mind so that we have a good list of questions, you'll find the area questions at a right hand side of your screen, usually in the go to webinar control panel. So when we look at beyond SAP, but also covers SAP, when we in general look at, so how do we make an identity management project success? First thing, get stakeholders on board. This is really the very first thing. And if you don't do that, you have a very, very good chance to fail. So the point is I am as a transversal project with respect to various aspect, business is involved. HR is involved, it is involved within it. U F D it infrastructure, it security, the applications, all of them are, have to do with identity and access, but you also have headquarters that reaches and region might already do something around identity management, which is different for what you do under your headquarters quarter.
So defined stakeholders defined a sponsorship. And when you have strong silos, so to speak in your organization, so your S a department, then this is part of the trans thing. It's part of what you have to look at, get it under control, get 'em on board, make clear. This is a joint initiative to the benefit of everyone. The second part is strategy road roadmap. Look at it from a broad perspective, not just looking at, oh, this is a small area. We do provisioning, or we do access governance. It's more, and it's not only a technical thing. That's the other part of this, or yes, there's a lot of technology. And as, as you can see on that screen identity management itself on the right hand side consists of various types of technology. So provisioning, access, governance, strongest indication and so on, but there are also many other technologies that are related to it, understand how these things are mapped, define the strategic targets for both business.
And it define your strategy, guidelines, organization, processes. So people, processes, tools, whatever you'd like to call it clearly also in including the technology, greater roadmap, select your right tools, tools, the tools choice is very important. Really understand what are your requirements, how to do it, then do this, right? So which part of identity management are you looking at? I've seen many tools, choice scenarios, where the customers started to compare different things. So really not being clear, what do I really want to solve? And if you start comparing different things, it doesn't really work. Doesn't make sense. So, which part of IM do you wanna cover? If you have a roadmap, you should know what you will do first, second, etcetera, which are the most relevant things to do. So which are really you problems you want to solve. You never will end up with solving everything, which one at the end of the day, sort of means understand your criteria, create a long list, create a short list, run an RFIs, or request for information and request for proposal process.
Ending up, maybe. So doing this for five or six, ending up with two, do the POC, the proof of concept with the remaining ones. So this is important. This is also very important then to keep, to have all the people involved in these process. So if you want to do something, which covers all of your it, including the SAP specific aspects, for instance, then get yours a team on board because they also have to accept for result people, process technology. So you need to org, you need your organizational team. You need to look at policies and guidelines, define them. It really helps define it, define your role models, define all that stuff. Spent some time really doing the thinking about it. It helps you create a foundation. And once you have this in place, them, you can do technology, not the other way around. If you have to define processes, it's easy to implement an IM tool.
If you start defining the processes during implementation, you will waste a lot of money and finally choose the right partner. So at the end, it depends always the people who implement it. So you kind of select the best tool and fail due to the wrong people. So it's sort of there's these people need 20% product knowledge. Yes, they need to know the product. Well, that's 20% of the a hundred percent success. The other 20%, the next 20% are project management lead to the project, ensure that there's a good project management. Another 20% of the success are the people. So having the real experts. And so if you start with the tool stories and the vendor comes in and says, oh, this is the brilliant guy, but this guy never appears in your project. And you have an issue ensure that they are, the people understand reuse stuff, ensure that your integrator or your partner reuses things that he doesn't start always from scratch.
And then it's about doing the development, right? So using the existing APIs, using the functionality instead of reinventing it, and this is clearly a foundation for every identity management project, but the aspects in there, which are relevant to how do I succeed and how do I get it done? Also, particularly when I have complex organizations where I have strong recipe department, where I maybe even have mainframe department where I have various other departments, then it's very important to understand what are the success factors. And some of them, I just touched. So when we down want to do it for SAP and the rest of it, then we end up clearly with a situation where, for a good reason, also SAP teams Ely say, okay, we have types of tools in mind. We are looking at, or we already use, they are SAP specific things. And them, there might be more this identity management, which is the cross systems thing that touches in a couple of minute more in detail.
And then there might be the requirement for the SAP specific things. So when we look at this, it's again, important to look at various aspects. So from a technology perspective, understand what is already there, understand what you wanna do, look at where our potential redundancies or where to integrate technologies. So understand how can you make the best out of it when it comes to organization, processes, try to make it friction free. So if there are things which are specific to ACP, which are done by SAP team, how do the processes work? What is sort of the connection point, which we various departments, by the way, that's the same. If you look at HR to the identity management team. So what is the responsibility of HR? What is the responsibility of the global identity management team? The same here, integrated processes define the responsibilities, the accountabilities, who is responsible for which power of data quality and so on.
When you look at audit at the end, you need consistent controls, but you also need to map this to the higher level view of how does my it overall run? How does it look like? And from a user perspective, the user doesn't want to care about, oh, they are different words. I, they want one interface. They want efficient processes. This must be your main target because at the end you don't do it for it. You do it for a user, even do it for, yes, you do it to some extent for the auditors because you have to, but your main target group is the user. That's where you always should look at what is the best way for the user to do it. The user wants to request access once through one interface. That still means that ICP team might manage the details of the authorization objects and etcetera, the details of all this access controls in their environment.
But the user wants to have it in one view. So how can you integrate where the interfaces, how do you do it? This is I think one of the most important things on some ways how to do it will be presented also later on the second part of the presentation by Alexei. Obviously there's not, when you look at all this stuff, there's not one size fits all. So you always have breath versus death in your tools. So when it comes to breath, so a standard identity provisioning provides an enterprise view across all the systems, very broad approach and ICP access controller, recipe GRC, as it is frequently, still called provides death and a deep system view. So these are totally different angles. SharePoint security tool also provides death and for a certain system while an enterprise GRC tool or it GRC tour, and I teach GRC tool provides the breadth and the view across all the systems as access governance does.
So you need to understand how these things map to each other end at the end. My perspective is you need something which provides you the enterprise view, which then might connect if required, still required to specific tools, but it still then has to have a very deep integration, very deep insight into the various, the core platforms, like an active director. Like that's our main topic today, like an SAP environment. So I'll picked up a pic drive brought up many times over the past years. In fact, we, we have to cross system view with identity provision access governance or the analytics re-certification request management and the fulfillment, which is cross system. And then we have to various systems and we still might require have a system specific structure. So the road structure with an SAP, the entire entitlement structure with an SAP, the groups, global groups, local groups, and active directory, which are somewhat specific and where you still might need some tools to management, but you still need to expose it in a standardized way so that your user kind of one interface to request access one interface, to understand recertification and OD controls or other things, other types of controls, they are not limited to a single system environment.
They might spend multiple systems. So even need to understand that beyond the system also managers who do access three certification, they want to use it's anyway, a, a burden they don't like. And if they have to use different interfaces for different tools, they will like it even less. So SAP security is one important thing, but it's only a part of it. So the user client SAP, the database of rating system, etcetera, there are so many layers. And obviously it's only just one part here. One of the biggest things then basically we have to understand clearly is the challenge of owner shipment here. I think it's very important to talk. And that's where I started. I said, you know, get the stakeholders on board and we are so to speak back, to get the stakeholders on board, define what is the sync, which is the ownership of the SAP team of the IM team.
Where are the touchpoints? Where are the integration points? So SAP teams want to own all SAP technology, GS SAP access controlled. Yes. And I think there's a reason for that particular, if it's based on SAP technology, if it's AB app or a based, yes, they say this is our world. And we need to run these systems. On the other hand, experiences that SAP teams very, very rarely wants to own other technology. They don't want to own in fact, non E technology for non environment. So all this identity provisioning, access governance, photo systems is something they don't want to own, but your users want to have one interface. They want to have the breath. They want to see everything in the consistent way. So this is really something which from my perspective is sort of a thing we have to solve.
They also don't want to own the process for non SAP environment. So the overall I am achieve process. So we need something which is on top, but which integrates well. So one size really fits all. There are specific things you need to manage your recipe environments in some depth, but you need to have something which helps you integrating this into your bigger picture, so that you have one way for users to request access one way to govern all the access to the re-certification access review part, whatever else, to have a consistent business role model across all the platforms and all that stuff. And this is where it's important to understand and to talk, what is the thing he wants need and want to do and need to do? What is the R job? Where are the, where do you segregate your responsibilities, the ownership, cetera, how should the organization look like? And this is the foundation for succeeding. And then clearly you also need a tool set to implement it. And that's where I hand over to Alexei right now, Alexei. Right now it's your turn to continue with your part on an approach towards getting IM right across the enterprise, including SAP.
All right. So going through, thanks again. So we've gone through the introductions, I'll get at it. I have quite a few slides that I like to cover, and I wanna make sure we have some room left for some Q and a at the end. So we'll start off, you know, Martin talked a lot about the whole, about the, started talking about challenges, you know, not just from when I am, but from an overall identity and access management perspective in, in, in true nature. If you look at one of the more challenging issues that you have from an identity access management perspective is it's, it's normally dealing with the number of entitlements that a user has and, or a user can access over a period of time. Right? So little simple questions, like where does Alexei have access to or where, how, or who has access to a particular resource?
It's normally pretty pretty it's, well, I wasn't say easy cause identity. Management's not easy. I don't want to bring that down to that level, but it's generally fairly straightforward to solve these types of problems with, with any identity management solution. And you're probably all very familiar with that now, unfortunately, you know, when, when complex enterprise applications like SAP, which have a, a totally different model, you, you know, you still have users, you still have the concept of users and groups. However, you also have the, the, the complexity that comes with, with SAP, which has, you know, SAP not just has groups and users, but it also has something that you have to deal with. It's the concept of, you know, has clients concept of profiles, roles, menus, transaction codes, and a, and a totally different inherit in rules for each of those particular objects, objects that I just mentioned.
So, so if you try to boil down the complex relationships that SAP has down to users in groups, which normally is, is a way that you do your identity management initiatives, it becomes almost impossible, right? Cause you don't, you can't treat like active directory, which is based on users in groups, you know, in you're often enough are simply adding users, you assign a group to a resource, and then you just simply add users to that particular group to gain access to the particular resource. So it becomes it's, you know, you can't model that way because of the complexity of the brings to the table. On top of that, a common behavior that we've seen with large organizations, or not just large, any organizations that deal with SAP. And that is a, not just through a professional service organization, but also from our partner ecosystem as well.
That has, that works very closely to these customers. There is that there's a, there's seems to be a division between the enterprise from a manage perspective that includes SAP and everything else on the surface. It seems to make sense. See, and I think mark Martin alluded to the fact that, you know, SAP folks wanna own SAP, they wanna make sure that nobody else comes into and, and they want to fully have fully have that management of that particular ecosystems. However, when you started looking into identity management initiatives or identity governance initiatives, right, you can't have that segregation of those two systems. You can't have a disparity in a way that you manage SAP independent from all the other target systems, right? So if you look at, you know, administrators from a windows or a Unix universe, don't really share the same common entitlement or kind of that mental map with the SAP folks.
So for them. So that makes it kind of difficult to treat these, these platforms or actually makes it even easier, I guess, for these folks to put a case for that they should manage those, that the spare systems separately, obviously this approach leaves a lot of, you know, it, it kind of defeats the value from an organization standpoint and provides real, real challenges because you have kind of the despairs organization, despair systems, and you don't have that single view from, from a user standpoint. And I think Martin alluded the fact that it's, it is extremely important that from you user doesn't care, but from an ongoing user or, or business management capabilities, the ability to have that single view into your identity management environment, that encompasses all your target systems, which includes, you know, SAP and other target systems are there into a single making it because at the end of the day, you know, if you wanna make it, it becomes very difficult to enforce controls like separation of duty across multiple platforms. You know, if you have despair systems and, and you manage these systems separately, you can end up with two sets of rules. You can end up with two sets of sod type of violations that don't correlate to that employee or that identity I should say. And it will be specific to accounts from that perspective.
Alright. So here comes, you know, some from, from how do we, we take this approach. So from an identity management perspective, obviously one identity has a product called one identity manager. I mean, it deals with basically all identity management life cycle components, but specific to SAP. This is where we're gonna really kind of concentrate today specific to SAP is that the goal of identity managers is really to simplify the administration of these SAP environments, right. It kind of provides that trusted and authoritative source for, for all organizational information, right? Once again, right, helping you set up or managed user accounts, groups, roles, profile, assign transactions, right? It, it provides that rich support for SAP that include all the SAP objects. Right? We can tell an administrator where a profile is being used, which activities and transactions are, are being enabled on which of the clients for which of the users, you know, at the end, we are really providing that single view into the SAP environment that most identity management solutions don't have that today.
And more specifically, what I wanted to mention as well is that I think we are one of the only vendors in this space that actually has a fully certified SAP connector to help with the ongoing management of, of the SAP systems. So I wanted to kind of show this and often enough, this is the type of questions that I asked. So I wanted just to make sure you fully understand the, the supported platforms that we currently today, that we support as part of the identity managers, seven SAP web application services, four, that Weaver application know those are all the, the different versions of, of, of that. So that's just something to, to make sure you're cognizant of it. Now, the next, next few slides, I just want to kind of, you know, there's, there's a lot of areas where we can go to help you understand where's the SA where's the actual benefits of using a tool like one identity manager to help not only manage your, your identity management assistance, but be able to integrate your identity management initiatives, which includes SAP in, in, into that central central view.
So I, I have like three or four different of these use cases, no more use cases, but the kind of the benefits that I'll go through. There's more actually, but based on, on the time we wanted to kind of highlight some of the, the key key points, right? First and foremost, unified administration security, right. I think Martin mentioned that the fact that the disparity about the systems that you need to provide that ongoing administration ability to have that flexibility from an end user perspective, right? One identity manager really empowers organizations to manage accounts, access permission from a single instance, right? You look at often and enough in, in SAP SAP basically supports an SAP account. It's, it's really an SAP account centric approach. Really. I should say that which basically handles employees, which cannot really handle employees having multiple user accounts in a way. So they kind of segregate how those accounts are created.
And in the interpretation management of those accounts are kind of separate on the, on the, on the other hand, the value that one identity manager brings, it provides a more comprehensive approach that can, can help you manage these logical disconnected SAP accounts and connect those SAP accounts to an employee identity. So the concept, as you can see here on the slide is that we have that identity manage and driven initiative to that employee where the identity, which could that identity have multiple correlated SAP accounts. So that when you're, when you're managing the aspect of those accounts, you manage essentially you manage the actual employee or the identity level, and therefore those tasks can be then trickled down to the specific accounts, making it easier of, of managing those, those identities or the actual SAP related accounts from a full process integration standpoint. There's another area that we bring extremely value or where any manager brings extremely value, right?
The automation creation of the accounts for that employee, as I already mentioned, the ability to correlate multiple SAP accounts to a central identity ability to actually have ability to have an employee or request self-service request mechanism so that you can actually assign the right membership based on the structural units, automation of deletion after a particular grace period. So if a customer leaves or sorry, not a customer, if a user leaves the company, you then have that overall process as part of the actual user life cycle for you to automate the deletion deletion of those accounts. And not just from a security standpoint, but also from a licensing standpoint as well. So you're helping the, the you're helping maintain the level that you need. You don't have stale accounts that could be still counted from a license standpoint, you know, any changes to the SAP account name, relocation transfer, or assignment organizations.
Those are all taken into account and, and, and affected throughout full synchronization of those objects. Obviously a full synchronization of users and, and, and those correlations that include a manual or automated resolution of conflicts. And, and what I mean by resolution of conflicts or from a full synchronization standpoint is the fact that, you know, it, it, it's kind of the, the status between identity manager and the SAP in regards to how those objects are managed. Right? So for example, how do we, you know, if an object exists in the SAP world, but has not been yet created in the one identity manager, right. Did, did they bypass some of the identity manager initiatives that somebody directly created that account into the SAP system and the one identity manager system doesn't not aware of that. So we have that kind of flexibility to pinpoint those, those items bring into the identity management system as a disabled object, a notification to, you know, can notify administration say, by the way, these are new objects.
Do we want to have those as part of identity management initiative, or if an object exists, an identity manager, but not in a target SAP system, you know, do we delete, you know, it was, it deleted perhaps somebody bypassed the one identity management system and, and deleted there, or was it creation of a new object that perhaps didn't, didn't find didn't go through was that was either at aborted or perhaps the synchronization process didn't, didn't fulfill the creation of that account. Right? So those, those, you know, requests into that requests for SAPs or accounts or assignments of permissions to various clients can also be integrated as part of a self-service interface of one identity manager. And furthermore, I guess one thing I could add the accounting costs for those accounts and permissions can be really valued to some organizations that have a costing procedure in place, which is part of the integrated cost management module within the one identity manager product itself.
All right. So just kind of take a step back before I kind of go into, into kind of talking about some of the other core functionality or SAP core functions that we kind of help management from ongoing identity management perspective. This is kind of a, a kind of, well, at times, kind of a, a overwhelming type of slides when you're really looking at this, but really what I wanted to kind of highlight at this is the concept, right? So you have an SAP account where you can have multiple SAP accounts, those SAP SAP accounts have, have a user master record, right? So that the account itself is the user master record that enables a user to log onto the different SAP systems and, and what it does it access the functions and objects within that limits of the authorization profile that is specify on in, in the roles that have been applied to that, to that master record, to that account, right?
So we basically, it contains really all the corresponding information of the user, including the authorization, basically what the user is entitled to, to gain access to obviously a single role. I mean, constant role is simply a collection of roles, single role it's just contains. If you look at it from, from a slide perspective, you just kind of an aggregation or, or the, you know, authorization profile that contains the authorization data and login menus and how the user can access and the authorization object itself, which really it controls what actions user can perform within the system, right? Authorization object can contain many fields that are related to, you know, to allow kind of complex tests within, within the system itself. It is, you know, at the end of the day, it's really, as I already mentioned, is what actions a user can perform in the system.
And, and that you need to take all that in consideration. So going back to that, the first slide that I kind of presented in regards management, it, it's not as simple as managing, you know, who has access, you know, who has, where does Alexei have access and who has access to those resources? Because it's not a simple way of just adding, you know, it's not, it's not a, just a correlation to a group and adding Alexei to that group who therefore gives them access to those resources. You now have to take it into consideration that there is more to, it is a combination of roles, a combination of the different authorization objects and fields and values that intertwine part of this, so that there has to be a way to interpret for you to interpret that data. So that, so the way you manage your identity management, your other identity management target systems, you have the flexibility to kind of bring in the SAP authorization components and manage in the same way that you do with other systems. And not in the same way, I would say, but allows to at least to centralize the management of that. So that any identity management driven initiative is done from the identity management system itself, which can then, you know, manage the target systems in a very efficient and effective way using the core authorization components of those target systems.
Next is really we talking about is like the SAP functions kind of definition. So really what, what that is, I mean, SAP transactions, authorization, objects, elements like activities and authorization groups that are displayed as, as an SAP function, often enough for a purpose of, in purpose of segregation of duty definitions or GRC type capabilities are actually visible within the one identity management system, which it makes it very interesting because now once again, the whole idea behind it is the centralized management SAP and the centralized management, not just the SAP identity related managements, but the centralization of other systems in combination to that. So this is where we really bring that, that value add to this. So you're looking at compliance, checking segregation of duty company policies necessary to, to ensure corporate compliance, right? For example, an employee may not obtain two entitlements, a and B at the same time, every user account has to have a manager assigned to it.
So, you know, SAP really provides, you know, if you look at, from an SAP specific SAP perspective, and then Martin mentioned as well, SAP provides their governance risk compliance modules called the GRC module for rules checks, right? It's a framework that execute rules, and it really has to be configured upfront within the SAP systems. The main difference that we see the main difference between what you can achieve with the GRC module within SAP and one identity manager is that the SAP GRC module, the rules that it takes into consideration are executed as a single independent SAP account, right? It doesn't going back to that same as the whole concept of, you know, different accounts, a individual may have different SAP accounts. Those SAP accounts are often despaired. There is no correlation to one another in the same way it applies. So the GRC kind of rules, it is specific to that single account SAP account.
There is no reference to business dependencies within the entire SAP ecosystem and, and, and the relationship with, to other accounts such as, you know, a super employee identity is often not included on the GRC risk calculation or rule calculation. Therefore, the risk that is that, that is that completely may violate that for that particular violation may not be detected because you may be applying a GRC driven rule to one account. However, that individual, that identity may have multiple accounts, which unless you run separate risk calculations for those two separate accounts, and you do the calculation of the correlation to that. There's no way of knowing if they are going to be true violations in place. And, and there's where we actually, we have that flexibility and, and the added value where we can provide you that view, that instance, or the effective group used by that defined sod.
That that is often related to that, to the identity itself because of the fact that we can actually correlate the identity within the one identity manager to multiple, multiple SAP accounts. And, and obviously here from an SAP audit rule perspective is the ease of being able to show and create these sod type of auditing rules. As you can see here is kind of a wizard driven, you know, as employee has at least one function below, and the number of titles assigned does not equal to one. So we can actually build these types of rules, very not just for SAP related systems, but any other target systems that are part of our identity management initiative. And therefore we can correlate the entire data together and, and provide that more specific that SAP audit value.
And of course, you know, we're always, we're talking about GRC, as soon as we're talking about GRC, we we're talking about ongoing management. We have to take that the whole fine grain authorization type of capabilities that SAP provides that you need to have that as part of your, your identity management initiatives. If you look at, you know, identity manager, the connector, which is, I already mentioned has the ability to read all the information from the SAP required to define GRC specific abilities, right? So, or, you know, or define grain permissions as, as, as, as we can say, the ability itself is defined by the transactions and authorization objects, you know, such whether a user can create an invoice for example, and the value, the definition for that particular attributes of those authorization objects for example, is that user can create invoice only to customers a and B.
So those fine grain permissions that are defined elements of a particular profile can be assigned to that particular count or combined, or we can help with combination roles and, and, and assigned to those particular user counts. So extremely powerful, right? So that we, you know, once again, we have that flexibility from a central view perspective to bring in the fine grain permissions, you know, all, as I said, the ability to define those transactions and authorization objects in the way that we can visualize and then assign to the particular accounts in form of a roles or, or pharma driven from, from an identity management perspective.
All right. So the last area that I just kind of wanted to kind of highlight as well, is that often enough, and then we talk now we often talk about SAP. We talked about GRC, how do we actually, you know, how do we integrate with those those systems? How do we bring in, and how do we provide that single view or that central view for the ongoing management of those SAP, but often enough, you know, there's also the concept of the SAP HCM. We have the HCM module, which is, you know, it's often enough, you know, we see that SAP itself is, is a, obviously one of the leading systems for employee data. Oops, hold on a second.
And we do have the connector that is currently available that manages the SAP ecosystems and integrates with GRC. It is the same, there's a subset of that connector that deals with, for some reason here, it's moving back on me. So I apologize for this here, right? And we do have that one-to-one relationship from that source of truth that we can incorporate and, you know, and, and, and represent into, into identity manager. The next slide here, as, as it just jumped on me again, right back communications back to SAP. So we do have not only the flexibility to incorporate those SAP, HR related system information into identity management product. We also have the flexibility to write some of those info type five systems as well, like mail and phone systems, a part of the overall identity management capabilities. And I guess last but not least really at the end, it, you know, we really, what we want to strive is what it takes to get IM right, right.
Is the full path of governance. The full path of governance has to include all your various target systems, right? We have to be able to facilitate accurate, accurate certification campaigns, which encompasses all the, the, the, the access type of information that a particular user has. So, you know, it has to be, we have to paint from a business user perspective. That user has to have a full understanding of the entitlements that a end user has in order to either approve or deny those attestations campaigns. Right. But it has to visualize it has to see us. So we ha it's imperative that we actually bring in that information and provide that central view in regards to, you know, to all the systems that are, are part of the identity management initiative, right? The idea from a modular and integrated perspective, it it's that you can start anywhere and build from there.
You can start from a simple managing Okta directory and build, and then start bringing in more complex applications like SAP, or perhaps if it is a compliance SAP driven initiative, we can start directly from an SAP perspective, bringing your SAP system into a managed central manage identity management perspective and allow you to build from, from that. So there is no right or wrong, or even for the fact that perhaps you could start, you know, if you already have GRC related or sod type implementations initiative that are you using part of the, your SAP system, you know, how do you bring those into that? How do you correlate and how do you actually have overall management capabilities? You know, that's a way that, you know, that's the entire modular and integrated way that we like to take that approach. And then obviously wrap time to value unify IM components. We want to streamline some of these tasks. We wanna make it easier from a business and ongoing identity management initiative so that you can manage not just manage any of your, your target systems, but incorporate more of the complex type of applications like, like SAP.
All right. With that. Thank you very much. And I guess we'll open it up for some, some questions.
Yes. Thank you. Alexei for your presentation. And we, as you said directly, we'll move to the Q and a session. So let's start with this part. I already have a couple of questions here. So let's start with that. One is a connector side. You talked about a cm, there's a question. Or in fact, two questions is a connector to a success factors available, or I tools like Workday.
Excellent question. So, so as part of, as part of identity. So in, in within identity manager, we have the concept of a native connected system modules that are part of, of the product itself. Most recently, we've also released a new offering called connect for cloud. And, and the reason in connect for cloud, basically what it is, it is a connector factory it's is a SAS based connector factory, where we're, we have the ability to create connectors for cloud based applications at a much faster pace than with the normal on-prem connectors. Because if you think of it, the on-prem connectors is tightly embedded with the identity management system. You know, there is there's timelines and you gotta, you have to rev the product and, and then therefore you need to wait until the next time, you know, in order for you to, to utilize that, that target system connector, you have to then upgrade to the latest version version of the product.
So we wanted to take some of that burden to be able to integrate to these cloud applications, more specifically the cloud applications, because they're just growing exponentially these days. So to make a very long story short, we have an offering called connector cloud, which is a connector factoring cloud-based connector factoring that uses skim as the integration point to one identity manager. So as part of the 7.1 release and identity manager, will we actually release a skim connector? And the skim connector has a connect for cloud template that you can connect with connect for cloud. So connect for cloud today has support for various cloud applications. It will have support for, for success factors and Workday in the coming month. So we're within less than four weeks from having those connectors ready. We're just in the testing testing stage right now for those particular connectors. So what happens is you can leverage to connect for cloud connectors, to integrate, to identity managed.
So all the identity and governance initiatives are still will still be driven as part of the one identity manager product, however, it's gonna be driven. So when you're connecting to connect to Workday or you're connecting to success factors or any other cloud-based applications, that's part of the connect for cloud family connectors. You it's is the same repeatable process that you have is that you would be utilizing the skim connector within one identity manager to connect to the endpoint URL that is provided to you as part of our, our offering. Sorry, it's very long, very long answer to a, a very yes or no question.
Okay. We have a lot of auto questions here, so let's move to the next one. Can the deletion grace period managed to support, use transfer to different roles, or for example, in a situation where the user will need to help transfer replacement into their old position and continue to have access toward the transition for the transition period. So it's basically about the move process and handling transition periods.
Can, sorry, can
I try, I try to reread and maybe rephrase the question. So can the lesion grace period be, be managed to support the transfer of, of users to different roles, for instance, when a user will need to help replacement in the old position and dust needs to continue to have the access for the transition period. So how do you deal in fact with the mover process where someone needs overlapping access to the old and new position for a while?
I, yeah, I'm sorry. I'm not sure if I fully understand. Can we take that, that aside and I'll, I'll make sure I'll read that out. We
Can, we can take, can take that aside. No problem. All right.
Thank you. And I'll
Okay. Let's look first sec. Can your system help manage SAP license compliance?
Well, one of the things that we, so we do manage, I'm not sure about manage, manage license compliance, but it can help you with your overall license perspective. Because one of the, I think if you look at the SAP orchestration tasks, the slide that I had there, it, it mentions the, the ability to actually delete objects or ability to actually update even, even, even those particular. So if in the case that from a license management capabilities, if, if there is account, if the SAP object needs to, it is counted based in the fact that is live or is still in the target SAP systems, we do have the ability to actually go in and delete those and help you maintain this the right level of, of required license to that SAP system. I'm not sure if I answer the, the question, but in regards to that, this is where we, we kind of have the approach.
Okay. Let's let me look up the next questions. That's maybe a tricky one that I'll take it anyway. Does the SAP connector support provisioning of SAP position based access? That is where SAP roles are associated with positions. So obviously organizational positions and SAP users indirectly get access through their positions. So in fact, can you, based on organizational positions manage access,
You know what I, I, that's an excellent question. And unfortunately I'm not a hundred percent sure on that. I have to dig down. I have to look at it. I have to kind of take a step back and, and look at this question to be able to provide you with the very concrete answer.
Okay. So let's move forward. Is SAP C a supported,
Yes, it is supported in all the supported versions that that was mentioned on the, on the actual one of the slides that I had.
Okay. So Alexei for the benefit of the audience, can you explain what the CUA is?
Certainly? So COA it is it's called the central user administration. So the idea, it, it is an SAP tool to help simplify user management environments that have multiple SAP systems. You know, it's like basically have one SAP client that I, if I'm not mistaken is promoted as the master, and then the other clients are connected and assigned as kind of the subordinates, that particular master. So basically is a way to SAP to centralize and manage of those multiple SAP systems. And obviously, as, as I mentioned before, we do support the, the use of the central user administration tools.
Okay. So if SAPT C SAP access control is already deployed, can you integrate with, can you integrate it as one identity manager?
Yeah. Yeah. So we, we, this is something, this is a scenario that we often run into and, and I think any partner ours have had to deal with that. And even our professional service organization had to deal that in the past. The big question here is, is where, what is the, the, the, the one driven is, is it kind of a compliance driven, or perhaps more of an identity management driven perspective? Because if you look at, if you, if you let you know identity manager, let's just put it this way. If you use identity manager for all the provisioning activities, only when a risk assessments require that's when you, then you have one identity manager allowing the SAP GRC to take control of that. Right? So basically this is done, normally is done via web services call where the 180 manager product asked GRC to check for risks or, or, or, or if there's any violations during the, a provision initiative and all those authorizations defined in one identity manager. And the rules, concern to separation duty are then defined in the actual SAP GRC system. So, yeah, that's something that we see often enough
And what would be the ideal path when implementing SAP access control and, and your one identity manager.
Excellent question. That's I think to answer the question, you kinda ask to have to answer the question by asking a question to know what you have to ask yourself. It is, what is the initiative here? Is it a compliance, as I mentioned, or is it a identity governance initiative you could get way of just, if it's just a compliance initiative, you could get away of simply doing S SAP GRC to, to address those. However, as you know, the SAP JRC doesn't take identities in consideration. So if you need to manage identities, you need to have a more broader identity governance initiative that starts from an identity manager perspective. Then I, I think, I mean, I mean, this is what we've seen as well, and, and obviously other folks could, could, could challenge me on, on, on my response. However, it is, it would be imperative that you probably wanna start from an identity management perspective first, get a handle in your identities.
And then as part of, you know, one of the, the alternative phases of your identity management project to start introducing those SAP access type of controls, but it's not just SAP access control SAP, because we're talking about SAP today. These are access controls for the various target systems that you're gonna be onboarding as part of your identity management initiative. Right? So if, if active directory is a target system, it's mainframe as mentioned LDAP systems in the way you have to start managing those identities, you have to be able to correlate the, those, those particular accounts from those various systems into a central repository. And then you have to figure out the next steps is, is, you know, how do you manage access to that? Do you start implementing certification campaigns? And this is where then potentially policies and segregation of duty rules can come into play as well.
Okay, great Alexei. So we are approaching the end of the time. We have, we have still a long list of out and of questions here, which we can't take all. So Alexei, you will, will follow up on these questions directly. I propose thank you very much to all the attendees. Thank you very much Alexei, and hopefully have you soon in another call webinar again. Thank you.
All right. Thanks. Thanks everyone.
When it comes to events, we have a couple of upcoming events. So we, on one hand, we'll do the consumer identity world tour. We did a consumer identity event last year in Paris. And this year we will do three one in Seattle and September one in Paris, November one in Singapore and December. Then we will do a marketing executive summit focusing on marketing automation and the relationship between consumer identity and marketing automation next year in February in Germany and the digital finance world, looking at PST two and other areas. So all the changes in the finance world and many of them, again, related to information security next year, end of February, early March, again in Germany. So some guidelines for the webinar, you are muted centrally. You don't have to mute around yourself. We are controlling these features. We are recording the webinar and we will publish the recording probably latest tomorrow.
And there will be a Q and a session at the end. So you can answer questions at any time, always by that suggestion that you answer the questions earlier so that we have a good list of questions available by the end of the webinar. So let's have a look at the agenda. It's usually there is three parts in the first part, I'll talk about enterprise at anti management, what it should comprise and what to consider when integrating the SAP environment. I, in particular, we look at also so how to make your project success, how to make it, get it done in general and together with when you use, when you have to integrate SAP environments. The second part that Alexei bento will talk about an approach towards getting IM right across the enterprise, including SAP, the third part. Then as I've said, we will do the Q and a session.
So if you have questions, trust, enter them once they come to your mind so that we have a good list of questions, you'll find the area questions at a right hand side of your screen, usually in the go to webinar control panel. So when we look at beyond SAP, but also covers SAP, when we in general look at, so how do we make an identity management project success? First thing, get stakeholders on board. This is really the very first thing. And if you don't do that, you have a very, very good chance to fail. So the point is I am as a transversal project with respect to various aspect, business is involved. HR is involved, it is involved within it. U F D it infrastructure, it security, the applications, all of them are, have to do with identity and access, but you also have headquarters that reaches and region might already do something around identity management, which is different for what you do under your headquarters quarter.
So defined stakeholders defined a sponsorship. And when you have strong silos, so to speak in your organization, so your S a department, then this is part of the trans thing. It's part of what you have to look at, get it under control, get 'em on board, make clear. This is a joint initiative to the benefit of everyone. The second part is strategy road roadmap. Look at it from a broad perspective, not just looking at, oh, this is a small area. We do provisioning, or we do access governance. It's more, and it's not only a technical thing. That's the other part of this, or yes, there's a lot of technology. And as, as you can see on that screen identity management itself on the right hand side consists of various types of technology. So provisioning, access, governance, strongest indication and so on, but there are also many other technologies that are related to it, understand how these things are mapped, define the strategic targets for both business.
And it define your strategy, guidelines, organization, processes. So people, processes, tools, whatever you'd like to call it clearly also in including the technology, greater roadmap, select your right tools, tools, the tools choice is very important. Really understand what are your requirements, how to do it, then do this, right? So which part of identity management are you looking at? I've seen many tools, choice scenarios, where the customers started to compare different things. So really not being clear, what do I really want to solve? And if you start comparing different things, it doesn't really work. Doesn't make sense. So, which part of IM do you wanna cover? If you have a roadmap, you should know what you will do first, second, etcetera, which are the most relevant things to do. So which are really you problems you want to solve. You never will end up with solving everything, which one at the end of the day, sort of means understand your criteria, create a long list, create a short list, run an RFIs, or request for information and request for proposal process.
Ending up, maybe. So doing this for five or six, ending up with two, do the POC, the proof of concept with the remaining ones. So this is important. This is also very important then to keep, to have all the people involved in these process. So if you want to do something, which covers all of your it, including the SAP specific aspects, for instance, then get yours a team on board because they also have to accept for result people, process technology. So you need to org, you need your organizational team. You need to look at policies and guidelines, define them. It really helps define it, define your role models, define all that stuff. Spent some time really doing the thinking about it. It helps you create a foundation. And once you have this in place, them, you can do technology, not the other way around. If you have to define processes, it's easy to implement an IM tool.
If you start defining the processes during implementation, you will waste a lot of money and finally choose the right partner. So at the end, it depends always the people who implement it. So you kind of select the best tool and fail due to the wrong people. So it's sort of there's these people need 20% product knowledge. Yes, they need to know the product. Well, that's 20% of the a hundred percent success. The other 20%, the next 20% are project management lead to the project, ensure that there's a good project management. Another 20% of the success are the people. So having the real experts. And so if you start with the tool stories and the vendor comes in and says, oh, this is the brilliant guy, but this guy never appears in your project. And you have an issue ensure that they are, the people understand reuse stuff, ensure that your integrator or your partner reuses things that he doesn't start always from scratch.
And then it's about doing the development, right? So using the existing APIs, using the functionality instead of reinventing it, and this is clearly a foundation for every identity management project, but the aspects in there, which are relevant to how do I succeed and how do I get it done? Also, particularly when I have complex organizations where I have strong recipe department, where I maybe even have mainframe department where I have various other departments, then it's very important to understand what are the success factors. And some of them, I just touched. So when we down want to do it for SAP and the rest of it, then we end up clearly with a situation where, for a good reason, also SAP teams Ely say, okay, we have types of tools in mind. We are looking at, or we already use, they are SAP specific things. And them, there might be more this identity management, which is the cross systems thing that touches in a couple of minute more in detail.
And then there might be the requirement for the SAP specific things. So when we look at this, it's again, important to look at various aspects. So from a technology perspective, understand what is already there, understand what you wanna do, look at where our potential redundancies or where to integrate technologies. So understand how can you make the best out of it when it comes to organization, processes, try to make it friction free. So if there are things which are specific to ACP, which are done by SAP team, how do the processes work? What is sort of the connection point, which we various departments, by the way, that's the same. If you look at HR to the identity management team. So what is the responsibility of HR? What is the responsibility of the global identity management team? The same here, integrated processes define the responsibilities, the accountabilities, who is responsible for which power of data quality and so on.
When you look at audit at the end, you need consistent controls, but you also need to map this to the higher level view of how does my it overall run? How does it look like? And from a user perspective, the user doesn't want to care about, oh, they are different words. I, they want one interface. They want efficient processes. This must be your main target because at the end you don't do it for it. You do it for a user, even do it for, yes, you do it to some extent for the auditors because you have to, but your main target group is the user. That's where you always should look at what is the best way for the user to do it. The user wants to request access once through one interface. That still means that ICP team might manage the details of the authorization objects and etcetera, the details of all this access controls in their environment.
But the user wants to have it in one view. So how can you integrate where the interfaces, how do you do it? This is I think one of the most important things on some ways how to do it will be presented also later on the second part of the presentation by Alexei. Obviously there's not, when you look at all this stuff, there's not one size fits all. So you always have breath versus death in your tools. So when it comes to breath, so a standard identity provisioning provides an enterprise view across all the systems, very broad approach and ICP access controller, recipe GRC, as it is frequently, still called provides death and a deep system view. So these are totally different angles. SharePoint security tool also provides death and for a certain system while an enterprise GRC tool or it GRC tour, and I teach GRC tool provides the breadth and the view across all the systems as access governance does.
So you need to understand how these things map to each other end at the end. My perspective is you need something which provides you the enterprise view, which then might connect if required, still required to specific tools, but it still then has to have a very deep integration, very deep insight into the various, the core platforms, like an active director. Like that's our main topic today, like an SAP environment. So I'll picked up a pic drive brought up many times over the past years. In fact, we, we have to cross system view with identity provision access governance or the analytics re-certification request management and the fulfillment, which is cross system. And then we have to various systems and we still might require have a system specific structure. So the road structure with an SAP, the entire entitlement structure with an SAP, the groups, global groups, local groups, and active directory, which are somewhat specific and where you still might need some tools to management, but you still need to expose it in a standardized way so that your user kind of one interface to request access one interface, to understand recertification and OD controls or other things, other types of controls, they are not limited to a single system environment.
They might spend multiple systems. So even need to understand that beyond the system also managers who do access three certification, they want to use it's anyway, a, a burden they don't like. And if they have to use different interfaces for different tools, they will like it even less. So SAP security is one important thing, but it's only a part of it. So the user client SAP, the database of rating system, etcetera, there are so many layers. And obviously it's only just one part here. One of the biggest things then basically we have to understand clearly is the challenge of owner shipment here. I think it's very important to talk. And that's where I started. I said, you know, get the stakeholders on board and we are so to speak back, to get the stakeholders on board, define what is the sync, which is the ownership of the SAP team of the IM team.
Where are the touchpoints? Where are the integration points? So SAP teams want to own all SAP technology, GS SAP access controlled. Yes. And I think there's a reason for that particular, if it's based on SAP technology, if it's AB app or a based, yes, they say this is our world. And we need to run these systems. On the other hand, experiences that SAP teams very, very rarely wants to own other technology. They don't want to own in fact, non E technology for non environment. So all this identity provisioning, access governance, photo systems is something they don't want to own, but your users want to have one interface. They want to have the breath. They want to see everything in the consistent way. So this is really something which from my perspective is sort of a thing we have to solve.
They also don't want to own the process for non SAP environment. So the overall I am achieve process. So we need something which is on top, but which integrates well. So one size really fits all. There are specific things you need to manage your recipe environments in some depth, but you need to have something which helps you integrating this into your bigger picture, so that you have one way for users to request access one way to govern all the access to the re-certification access review part, whatever else, to have a consistent business role model across all the platforms and all that stuff. And this is where it's important to understand and to talk, what is the thing he wants need and want to do and need to do? What is the R job? Where are the, where do you segregate your responsibilities, the ownership, cetera, how should the organization look like? And this is the foundation for succeeding. And then clearly you also need a tool set to implement it. And that's where I hand over to Alexei right now, Alexei. Right now it's your turn to continue with your part on an approach towards getting IM right across the enterprise, including SAP.
All right. So going through, thanks again. So we've gone through the introductions, I'll get at it. I have quite a few slides that I like to cover, and I wanna make sure we have some room left for some Q and a at the end. So we'll start off, you know, Martin talked a lot about the whole, about the, started talking about challenges, you know, not just from when I am, but from an overall identity and access management perspective in, in, in true nature. If you look at one of the more challenging issues that you have from an identity access management perspective is it's, it's normally dealing with the number of entitlements that a user has and, or a user can access over a period of time. Right? So little simple questions, like where does Alexei have access to or where, how, or who has access to a particular resource?
It's normally pretty pretty it's, well, I wasn't say easy cause identity. Management's not easy. I don't want to bring that down to that level, but it's generally fairly straightforward to solve these types of problems with, with any identity management solution. And you're probably all very familiar with that now, unfortunately, you know, when, when complex enterprise applications like SAP, which have a, a totally different model, you, you know, you still have users, you still have the concept of users and groups. However, you also have the, the, the complexity that comes with, with SAP, which has, you know, SAP not just has groups and users, but it also has something that you have to deal with. It's the concept of, you know, has clients concept of profiles, roles, menus, transaction codes, and a, and a totally different inherit in rules for each of those particular objects, objects that I just mentioned.
So, so if you try to boil down the complex relationships that SAP has down to users in groups, which normally is, is a way that you do your identity management initiatives, it becomes almost impossible, right? Cause you don't, you can't treat like active directory, which is based on users in groups, you know, in you're often enough are simply adding users, you assign a group to a resource, and then you just simply add users to that particular group to gain access to the particular resource. So it becomes it's, you know, you can't model that way because of the complexity of the brings to the table. On top of that, a common behavior that we've seen with large organizations, or not just large, any organizations that deal with SAP. And that is a, not just through a professional service organization, but also from our partner ecosystem as well.
That has, that works very closely to these customers. There is that there's a, there's seems to be a division between the enterprise from a manage perspective that includes SAP and everything else on the surface. It seems to make sense. See, and I think mark Martin alluded to the fact that, you know, SAP folks wanna own SAP, they wanna make sure that nobody else comes into and, and they want to fully have fully have that management of that particular ecosystems. However, when you started looking into identity management initiatives or identity governance initiatives, right, you can't have that segregation of those two systems. You can't have a disparity in a way that you manage SAP independent from all the other target systems, right? So if you look at, you know, administrators from a windows or a Unix universe, don't really share the same common entitlement or kind of that mental map with the SAP folks.
So for them. So that makes it kind of difficult to treat these, these platforms or actually makes it even easier, I guess, for these folks to put a case for that they should manage those, that the spare systems separately, obviously this approach leaves a lot of, you know, it, it kind of defeats the value from an organization standpoint and provides real, real challenges because you have kind of the despairs organization, despair systems, and you don't have that single view from, from a user standpoint. And I think Martin alluded the fact that it's, it is extremely important that from you user doesn't care, but from an ongoing user or, or business management capabilities, the ability to have that single view into your identity management environment, that encompasses all your target systems, which includes, you know, SAP and other target systems are there into a single making it because at the end of the day, you know, if you wanna make it, it becomes very difficult to enforce controls like separation of duty across multiple platforms. You know, if you have despair systems and, and you manage these systems separately, you can end up with two sets of rules. You can end up with two sets of sod type of violations that don't correlate to that employee or that identity I should say. And it will be specific to accounts from that perspective.
Alright. So here comes, you know, some from, from how do we, we take this approach. So from an identity management perspective, obviously one identity has a product called one identity manager. I mean, it deals with basically all identity management life cycle components, but specific to SAP. This is where we're gonna really kind of concentrate today specific to SAP is that the goal of identity managers is really to simplify the administration of these SAP environments, right. It kind of provides that trusted and authoritative source for, for all organizational information, right? Once again, right, helping you set up or managed user accounts, groups, roles, profile, assign transactions, right? It, it provides that rich support for SAP that include all the SAP objects. Right? We can tell an administrator where a profile is being used, which activities and transactions are, are being enabled on which of the clients for which of the users, you know, at the end, we are really providing that single view into the SAP environment that most identity management solutions don't have that today.
And more specifically, what I wanted to mention as well is that I think we are one of the only vendors in this space that actually has a fully certified SAP connector to help with the ongoing management of, of the SAP systems. So I wanted to kind of show this and often enough, this is the type of questions that I asked. So I wanted just to make sure you fully understand the, the supported platforms that we currently today, that we support as part of the identity managers, seven SAP web application services, four, that Weaver application know those are all the, the different versions of, of, of that. So that's just something to, to make sure you're cognizant of it. Now, the next, next few slides, I just want to kind of, you know, there's, there's a lot of areas where we can go to help you understand where's the SA where's the actual benefits of using a tool like one identity manager to help not only manage your, your identity management assistance, but be able to integrate your identity management initiatives, which includes SAP in, in, into that central central view.
So I, I have like three or four different of these use cases, no more use cases, but the kind of the benefits that I'll go through. There's more actually, but based on, on the time we wanted to kind of highlight some of the, the key key points, right? First and foremost, unified administration security, right. I think Martin mentioned that the fact that the disparity about the systems that you need to provide that ongoing administration ability to have that flexibility from an end user perspective, right? One identity manager really empowers organizations to manage accounts, access permission from a single instance, right? You look at often and enough in, in SAP SAP basically supports an SAP account. It's, it's really an SAP account centric approach. Really. I should say that which basically handles employees, which cannot really handle employees having multiple user accounts in a way. So they kind of segregate how those accounts are created.
And in the interpretation management of those accounts are kind of separate on the, on the, on the other hand, the value that one identity manager brings, it provides a more comprehensive approach that can, can help you manage these logical disconnected SAP accounts and connect those SAP accounts to an employee identity. So the concept, as you can see here on the slide is that we have that identity manage and driven initiative to that employee where the identity, which could that identity have multiple correlated SAP accounts. So that when you're, when you're managing the aspect of those accounts, you manage essentially you manage the actual employee or the identity level, and therefore those tasks can be then trickled down to the specific accounts, making it easier of, of managing those, those identities or the actual SAP related accounts from a full process integration standpoint. There's another area that we bring extremely value or where any manager brings extremely value, right?
The automation creation of the accounts for that employee, as I already mentioned, the ability to correlate multiple SAP accounts to a central identity ability to actually have ability to have an employee or request self-service request mechanism so that you can actually assign the right membership based on the structural units, automation of deletion after a particular grace period. So if a customer leaves or sorry, not a customer, if a user leaves the company, you then have that overall process as part of the actual user life cycle for you to automate the deletion deletion of those accounts. And not just from a security standpoint, but also from a licensing standpoint as well. So you're helping the, the you're helping maintain the level that you need. You don't have stale accounts that could be still counted from a license standpoint, you know, any changes to the SAP account name, relocation transfer, or assignment organizations.
Those are all taken into account and, and, and affected throughout full synchronization of those objects. Obviously a full synchronization of users and, and, and those correlations that include a manual or automated resolution of conflicts. And, and what I mean by resolution of conflicts or from a full synchronization standpoint is the fact that, you know, it, it, it's kind of the, the status between identity manager and the SAP in regards to how those objects are managed. Right? So for example, how do we, you know, if an object exists in the SAP world, but has not been yet created in the one identity manager, right. Did, did they bypass some of the identity manager initiatives that somebody directly created that account into the SAP system and the one identity manager system doesn't not aware of that. So we have that kind of flexibility to pinpoint those, those items bring into the identity management system as a disabled object, a notification to, you know, can notify administration say, by the way, these are new objects.
Do we want to have those as part of identity management initiative, or if an object exists, an identity manager, but not in a target SAP system, you know, do we delete, you know, it was, it deleted perhaps somebody bypassed the one identity management system and, and deleted there, or was it creation of a new object that perhaps didn't, didn't find didn't go through was that was either at aborted or perhaps the synchronization process didn't, didn't fulfill the creation of that account. Right? So those, those, you know, requests into that requests for SAPs or accounts or assignments of permissions to various clients can also be integrated as part of a self-service interface of one identity manager. And furthermore, I guess one thing I could add the accounting costs for those accounts and permissions can be really valued to some organizations that have a costing procedure in place, which is part of the integrated cost management module within the one identity manager product itself.
All right. So just kind of take a step back before I kind of go into, into kind of talking about some of the other core functionality or SAP core functions that we kind of help management from ongoing identity management perspective. This is kind of a, a kind of, well, at times, kind of a, a overwhelming type of slides when you're really looking at this, but really what I wanted to kind of highlight at this is the concept, right? So you have an SAP account where you can have multiple SAP accounts, those SAP SAP accounts have, have a user master record, right? So that the account itself is the user master record that enables a user to log onto the different SAP systems and, and what it does it access the functions and objects within that limits of the authorization profile that is specify on in, in the roles that have been applied to that, to that master record, to that account, right?
So we basically, it contains really all the corresponding information of the user, including the authorization, basically what the user is entitled to, to gain access to obviously a single role. I mean, constant role is simply a collection of roles, single role it's just contains. If you look at it from, from a slide perspective, you just kind of an aggregation or, or the, you know, authorization profile that contains the authorization data and login menus and how the user can access and the authorization object itself, which really it controls what actions user can perform within the system, right? Authorization object can contain many fields that are related to, you know, to allow kind of complex tests within, within the system itself. It is, you know, at the end of the day, it's really, as I already mentioned, is what actions a user can perform in the system.
And, and that you need to take all that in consideration. So going back to that, the first slide that I kind of presented in regards management, it, it's not as simple as managing, you know, who has access, you know, who has, where does Alexei have access and who has access to those resources? Because it's not a simple way of just adding, you know, it's not, it's not a, just a correlation to a group and adding Alexei to that group who therefore gives them access to those resources. You now have to take it into consideration that there is more to, it is a combination of roles, a combination of the different authorization objects and fields and values that intertwine part of this, so that there has to be a way to interpret for you to interpret that data. So that, so the way you manage your identity management, your other identity management target systems, you have the flexibility to kind of bring in the SAP authorization components and manage in the same way that you do with other systems. And not in the same way, I would say, but allows to at least to centralize the management of that. So that any identity management driven initiative is done from the identity management system itself, which can then, you know, manage the target systems in a very efficient and effective way using the core authorization components of those target systems.
Next is really we talking about is like the SAP functions kind of definition. So really what, what that is, I mean, SAP transactions, authorization, objects, elements like activities and authorization groups that are displayed as, as an SAP function, often enough for a purpose of, in purpose of segregation of duty definitions or GRC type capabilities are actually visible within the one identity management system, which it makes it very interesting because now once again, the whole idea behind it is the centralized management SAP and the centralized management, not just the SAP identity related managements, but the centralization of other systems in combination to that. So this is where we really bring that, that value add to this. So you're looking at compliance, checking segregation of duty company policies necessary to, to ensure corporate compliance, right? For example, an employee may not obtain two entitlements, a and B at the same time, every user account has to have a manager assigned to it.
So, you know, SAP really provides, you know, if you look at, from an SAP specific SAP perspective, and then Martin mentioned as well, SAP provides their governance risk compliance modules called the GRC module for rules checks, right? It's a framework that execute rules, and it really has to be configured upfront within the SAP systems. The main difference that we see the main difference between what you can achieve with the GRC module within SAP and one identity manager is that the SAP GRC module, the rules that it takes into consideration are executed as a single independent SAP account, right? It doesn't going back to that same as the whole concept of, you know, different accounts, a individual may have different SAP accounts. Those SAP accounts are often despaired. There is no correlation to one another in the same way it applies. So the GRC kind of rules, it is specific to that single account SAP account.
There is no reference to business dependencies within the entire SAP ecosystem and, and, and the relationship with, to other accounts such as, you know, a super employee identity is often not included on the GRC risk calculation or rule calculation. Therefore, the risk that is that, that is that completely may violate that for that particular violation may not be detected because you may be applying a GRC driven rule to one account. However, that individual, that identity may have multiple accounts, which unless you run separate risk calculations for those two separate accounts, and you do the calculation of the correlation to that. There's no way of knowing if they are going to be true violations in place. And, and there's where we actually, we have that flexibility and, and the added value where we can provide you that view, that instance, or the effective group used by that defined sod.
That that is often related to that, to the identity itself because of the fact that we can actually correlate the identity within the one identity manager to multiple, multiple SAP accounts. And, and obviously here from an SAP audit rule perspective is the ease of being able to show and create these sod type of auditing rules. As you can see here is kind of a wizard driven, you know, as employee has at least one function below, and the number of titles assigned does not equal to one. So we can actually build these types of rules, very not just for SAP related systems, but any other target systems that are part of our identity management initiative. And therefore we can correlate the entire data together and, and provide that more specific that SAP audit value.
And of course, you know, we're always, we're talking about GRC, as soon as we're talking about GRC, we we're talking about ongoing management. We have to take that the whole fine grain authorization type of capabilities that SAP provides that you need to have that as part of your, your identity management initiatives. If you look at, you know, identity manager, the connector, which is, I already mentioned has the ability to read all the information from the SAP required to define GRC specific abilities, right? So, or, you know, or define grain permissions as, as, as, as we can say, the ability itself is defined by the transactions and authorization objects, you know, such whether a user can create an invoice for example, and the value, the definition for that particular attributes of those authorization objects for example, is that user can create invoice only to customers a and B.
So those fine grain permissions that are defined elements of a particular profile can be assigned to that particular count or combined, or we can help with combination roles and, and, and assigned to those particular user counts. So extremely powerful, right? So that we, you know, once again, we have that flexibility from a central view perspective to bring in the fine grain permissions, you know, all, as I said, the ability to define those transactions and authorization objects in the way that we can visualize and then assign to the particular accounts in form of a roles or, or pharma driven from, from an identity management perspective.
All right. So the last area that I just kind of wanted to kind of highlight as well, is that often enough, and then we talk now we often talk about SAP. We talked about GRC, how do we actually, you know, how do we integrate with those those systems? How do we bring in, and how do we provide that single view or that central view for the ongoing management of those SAP, but often enough, you know, there's also the concept of the SAP HCM. We have the HCM module, which is, you know, it's often enough, you know, we see that SAP itself is, is a, obviously one of the leading systems for employee data. Oops, hold on a second.
And we do have the connector that is currently available that manages the SAP ecosystems and integrates with GRC. It is the same, there's a subset of that connector that deals with, for some reason here, it's moving back on me. So I apologize for this here, right? And we do have that one-to-one relationship from that source of truth that we can incorporate and, you know, and, and, and represent into, into identity manager. The next slide here, as, as it just jumped on me again, right back communications back to SAP. So we do have not only the flexibility to incorporate those SAP, HR related system information into identity management product. We also have the flexibility to write some of those info type five systems as well, like mail and phone systems, a part of the overall identity management capabilities. And I guess last but not least really at the end, it, you know, we really, what we want to strive is what it takes to get IM right, right.
Is the full path of governance. The full path of governance has to include all your various target systems, right? We have to be able to facilitate accurate, accurate certification campaigns, which encompasses all the, the, the, the access type of information that a particular user has. So, you know, it has to be, we have to paint from a business user perspective. That user has to have a full understanding of the entitlements that a end user has in order to either approve or deny those attestations campaigns. Right. But it has to visualize it has to see us. So we ha it's imperative that we actually bring in that information and provide that central view in regards to, you know, to all the systems that are, are part of the identity management initiative, right? The idea from a modular and integrated perspective, it it's that you can start anywhere and build from there.
You can start from a simple managing Okta directory and build, and then start bringing in more complex applications like SAP, or perhaps if it is a compliance SAP driven initiative, we can start directly from an SAP perspective, bringing your SAP system into a managed central manage identity management perspective and allow you to build from, from that. So there is no right or wrong, or even for the fact that perhaps you could start, you know, if you already have GRC related or sod type implementations initiative that are you using part of the, your SAP system, you know, how do you bring those into that? How do you correlate and how do you actually have overall management capabilities? You know, that's a way that, you know, that's the entire modular and integrated way that we like to take that approach. And then obviously wrap time to value unify IM components. We want to streamline some of these tasks. We wanna make it easier from a business and ongoing identity management initiative so that you can manage not just manage any of your, your target systems, but incorporate more of the complex type of applications like, like SAP.
All right. With that. Thank you very much. And I guess we'll open it up for some, some questions.
Yes. Thank you. Alexei for your presentation. And we, as you said directly, we'll move to the Q and a session. So let's start with this part. I already have a couple of questions here. So let's start with that. One is a connector side. You talked about a cm, there's a question. Or in fact, two questions is a connector to a success factors available, or I tools like Workday.
Excellent question. So, so as part of, as part of identity. So in, in within identity manager, we have the concept of a native connected system modules that are part of, of the product itself. Most recently, we've also released a new offering called connect for cloud. And, and the reason in connect for cloud, basically what it is, it is a connector factory it's is a SAS based connector factory, where we're, we have the ability to create connectors for cloud based applications at a much faster pace than with the normal on-prem connectors. Because if you think of it, the on-prem connectors is tightly embedded with the identity management system. You know, there is there's timelines and you gotta, you have to rev the product and, and then therefore you need to wait until the next time, you know, in order for you to, to utilize that, that target system connector, you have to then upgrade to the latest version version of the product.
So we wanted to take some of that burden to be able to integrate to these cloud applications, more specifically the cloud applications, because they're just growing exponentially these days. So to make a very long story short, we have an offering called connector cloud, which is a connector factoring cloud-based connector factoring that uses skim as the integration point to one identity manager. So as part of the 7.1 release and identity manager, will we actually release a skim connector? And the skim connector has a connect for cloud template that you can connect with connect for cloud. So connect for cloud today has support for various cloud applications. It will have support for, for success factors and Workday in the coming month. So we're within less than four weeks from having those connectors ready. We're just in the testing testing stage right now for those particular connectors. So what happens is you can leverage to connect for cloud connectors, to integrate, to identity managed.
So all the identity and governance initiatives are still will still be driven as part of the one identity manager product, however, it's gonna be driven. So when you're connecting to connect to Workday or you're connecting to success factors or any other cloud-based applications, that's part of the connect for cloud family connectors. You it's is the same repeatable process that you have is that you would be utilizing the skim connector within one identity manager to connect to the endpoint URL that is provided to you as part of our, our offering. Sorry, it's very long, very long answer to a, a very yes or no question.
Okay. We have a lot of auto questions here, so let's move to the next one. Can the deletion grace period managed to support, use transfer to different roles, or for example, in a situation where the user will need to help transfer replacement into their old position and continue to have access toward the transition for the transition period. So it's basically about the move process and handling transition periods.
Can, sorry, can
I try, I try to reread and maybe rephrase the question. So can the lesion grace period be, be managed to support the transfer of, of users to different roles, for instance, when a user will need to help replacement in the old position and dust needs to continue to have the access for the transition period. So how do you deal in fact with the mover process where someone needs overlapping access to the old and new position for a while?
I, yeah, I'm sorry. I'm not sure if I fully understand. Can we take that, that aside and I'll, I'll make sure I'll read that out. We
Can, we can take, can take that aside. No problem. All right.
Thank you. And I'll
Okay. Let's look first sec. Can your system help manage SAP license compliance?
Well, one of the things that we, so we do manage, I'm not sure about manage, manage license compliance, but it can help you with your overall license perspective. Because one of the, I think if you look at the SAP orchestration tasks, the slide that I had there, it, it mentions the, the ability to actually delete objects or ability to actually update even, even, even those particular. So if in the case that from a license management capabilities, if, if there is account, if the SAP object needs to, it is counted based in the fact that is live or is still in the target SAP systems, we do have the ability to actually go in and delete those and help you maintain this the right level of, of required license to that SAP system. I'm not sure if I answer the, the question, but in regards to that, this is where we, we kind of have the approach.
Okay. Let's let me look up the next questions. That's maybe a tricky one that I'll take it anyway. Does the SAP connector support provisioning of SAP position based access? That is where SAP roles are associated with positions. So obviously organizational positions and SAP users indirectly get access through their positions. So in fact, can you, based on organizational positions manage access,
You know what I, I, that's an excellent question. And unfortunately I'm not a hundred percent sure on that. I have to dig down. I have to look at it. I have to kind of take a step back and, and look at this question to be able to provide you with the very concrete answer.
Okay. So let's move forward. Is SAP C a supported,
Yes, it is supported in all the supported versions that that was mentioned on the, on the actual one of the slides that I had.
Okay. So Alexei for the benefit of the audience, can you explain what the CUA is?
Certainly? So COA it is it's called the central user administration. So the idea, it, it is an SAP tool to help simplify user management environments that have multiple SAP systems. You know, it's like basically have one SAP client that I, if I'm not mistaken is promoted as the master, and then the other clients are connected and assigned as kind of the subordinates, that particular master. So basically is a way to SAP to centralize and manage of those multiple SAP systems. And obviously, as, as I mentioned before, we do support the, the use of the central user administration tools.
Okay. So if SAPT C SAP access control is already deployed, can you integrate with, can you integrate it as one identity manager?
Yeah. Yeah. So we, we, this is something, this is a scenario that we often run into and, and I think any partner ours have had to deal with that. And even our professional service organization had to deal that in the past. The big question here is, is where, what is the, the, the, the one driven is, is it kind of a compliance driven, or perhaps more of an identity management driven perspective? Because if you look at, if you, if you let you know identity manager, let's just put it this way. If you use identity manager for all the provisioning activities, only when a risk assessments require that's when you, then you have one identity manager allowing the SAP GRC to take control of that. Right? So basically this is done, normally is done via web services call where the 180 manager product asked GRC to check for risks or, or, or, or if there's any violations during the, a provision initiative and all those authorizations defined in one identity manager. And the rules, concern to separation duty are then defined in the actual SAP GRC system. So, yeah, that's something that we see often enough
And what would be the ideal path when implementing SAP access control and, and your one identity manager.
Excellent question. That's I think to answer the question, you kinda ask to have to answer the question by asking a question to know what you have to ask yourself. It is, what is the initiative here? Is it a compliance, as I mentioned, or is it a identity governance initiative you could get way of just, if it's just a compliance initiative, you could get away of simply doing S SAP GRC to, to address those. However, as you know, the SAP JRC doesn't take identities in consideration. So if you need to manage identities, you need to have a more broader identity governance initiative that starts from an identity manager perspective. Then I, I think, I mean, I mean, this is what we've seen as well, and, and obviously other folks could, could, could challenge me on, on, on my response. However, it is, it would be imperative that you probably wanna start from an identity management perspective first, get a handle in your identities.
And then as part of, you know, one of the, the alternative phases of your identity management project to start introducing those SAP access type of controls, but it's not just SAP access control SAP, because we're talking about SAP today. These are access controls for the various target systems that you're gonna be onboarding as part of your identity management initiative. Right? So if, if active directory is a target system, it's mainframe as mentioned LDAP systems in the way you have to start managing those identities, you have to be able to correlate the, those, those particular accounts from those various systems into a central repository. And then you have to figure out the next steps is, is, you know, how do you manage access to that? Do you start implementing certification campaigns? And this is where then potentially policies and segregation of duty rules can come into play as well.
Okay, great Alexei. So we are approaching the end of the time. We have, we have still a long list of out and of questions here, which we can't take all. So Alexei, you will, will follow up on these questions directly. I propose thank you very much to all the attendees. Thank you very much Alexei, and hopefully have you soon in another call webinar again. Thank you.
All right. Thanks. Thanks everyone.
Stay Connected
Related Videos
How can we help you