Next-Level Reporting: Managed Services Revolutionize SAP GRC Access Control Operations

This blog is an update to an earlier post: Achieve Seamless, Efficient SAP GRC Access Control Operations through Managed Services.

As organizations transition to SAP S/4HANA and SAP cloud solutions, they often discover that GRC capabilities and processes also need to be updated on a more frequent basis. One example of a continuously changing dataset is the segregation of duties (SoD) ruleset. With S/4HANA, the GRC ruleset now supports monitoring many new access types including Fiori apps and HANA database access. While an implementation or upgrade project would typically include the relevant set of Fiori apps in the ruleset at a specific point in time, the continued effort of keeping the ruleset up to date with newly implemented Fiori apps is equally important. Additionally, as the landscape shifts to cloud applications, there’s an increasing need to integrate existing security and access governance processes via add-on solutions like SAP IAG Bridge. Ongoing specialized activities such as these and more are required to support and manage this evolving landscape and can be efficiently performed by a GRC Managed Service provider.

What is GRC Managed Services?

GRC Managed Services provides a specialized workforce that can perform strategic activities and initiatives. In addition to identifying and deploying incremental changes on demand, GRC Managed Services can perform many ongoing operational activities such as managing daily or periodic GRC reporting and ongoing monitoring of key performance metrics. The improved data availability in HANA based applications helps enable these frequent reporting activities, but for many organizations, having a GRC administration resource pool dedicated to these types of activities is not feasible, or simply not necessary as an outsourced managed services team can provide greater value and drive efficiency through specialized skillsets.

SoD and sensitive access management

The day-to-day operations of access risk analysis (ARA) varies from one organization to another. However, there is a common theme of reporting risk analysis results periodically while helping executives and reviewers interpret the issues in business context to ensure appropriate risk remediation or mitigation of the risks. SAP GRC applications ship with a handful of dashboards but occasionally, it is necessary to leverage data visualization software like Power BI or Tableau to create custom visualizations tailored to an organization’s needs.

A few other key daily or periodic activities related to risk analysis are:

Monitoring synchronization and batch risk analysis jobs
On-demand ruleset updates, including new Fiori apps and custom transaction to the ruleset
Optimizing risk analysis results by maintaining exclude objects and critical roles / profiles
Continued remediation and mitigation efforts to improve security compliance
Ensuring optimum performance through periodic clean-up jobs and appropriate system usage

Example: Access risk dashboards

Emergency access management

Also known as the firefighter module, emergency access management (EAM) can mostly be set to autopilot through firefighter access provisioning and firefighter log review workflows. A managed services team can be leveraged to provide:

Proper master data maintenance to support the workflows
On-call support to address or workaround any unexpected errors
Supervision of workflow SLAs and follow ups as needed
Trend analysis reviews and optimization of firefighter usage
Monitoring of EAM background jobs
Ensuring log review workflows are completed timely

Example: firefighter access and usage dashboards

User provisioning and role management

Access request management (ARM) workflows facilitate a compliant SAP user access request process and automated provisioning of access. While business role management (BRM) has its own workflow and methodologies for role maintenance, it is more commonly used as the technical and business role repository to support ARM workflows. A managed services team can help implement and optimize ARM and BRM functional scope based on the organization’s needs and complexity. Once implemented, the key tasks of a GRC managed services team might include:

Maintaining an up to date BRM library, including new business roles
Providing trend analysis and optimization of workflow usage
Addressing workflow enhancement / optimization needs
Monitoring background jobs and active workflow instances

User access review and SoD review

The successful execution of key periodic review rounds is one of the most important responsibilities for a GRC managed services team. SAP GRC offers two automated workflows that address the periodic SAP user access review (UAR) and SoD and sensitive access review (SoDR) needs, which are typically executed at least semi-annually. After sending the review requests to the reviewers through GRC, the team would typically perform the following activities:

Daily monitoring of review completions, including providing technical support to the reviewers
Managing rejected request items
Scheduling timely reminder emails
Managing escalations
Ensuring appropriateness of UAR decisions made by the reviewers
Identifying and executing optimal SoD resolution based on reviewer input

Putting it all together

In addition to GRC Access Control specific tasks noted above, support pack upgrades, resolving newly identified bugs, evaluating and solutioning new functional requirements, ensuring up-to-date user training materials based on functionality or process enhancement, etc., can lead to IT support bottlenecks or unforeseen consulting costs. Protiviti’s GRC Managed Services are designed to address such needs cost-effectively, enabled by a team with years of GRC implementation and support experience. The service model is scalable and flexible to be customized based on customer-specific needs. Team operations are driven by KPIs ensuring optimum cost and integration with the clients’ overall IT support model.

The service incorporates Power BI and Tableau dashboards to supplement the default dashboards and enables ongoing KPI monitoring, with existing visualizations for over 40 GRC access control KPIs. These dashboards can be custom tailored to existing needs and encourage interaction so each user can filter and focus on the data needed to drive action.