Recently, our Inprosec team had the opportunity to attend the most significant international SAP Insider 2023 event, held in Copenhagen. This meeting provided a unique platform to learn about the latest trends and advancements in SAP solutions, especially in areas of Identity Access Governance (IAG), Access Control (GRC AC), and Enterprise Risk and Compliance Solutions.
Next, we want to provide a brief summary of the most notable presentations we attended.
Harnessing the Power: Maximizing IAM Efficiency with SAP Cloud IAG
The session, led by Alessandro Banzer, focused on SAP’s cloud tool, IAG (Identity Access Governance). This tool allows customers to perform access control of SAP systems both On-Premise and in the cloud. Additionally, through other BTP services that can be used in conjunction with IAG (IAS and IPS), various possibilities were shown for identity control in all SAP solutions (both Cloud and On-Premise).
A summary of the ways in which customers can use IAG was also provided, such as:
- As a sole access control solution
- In conjunction with SAP GRC AC, through the Cloud Bridge, where both tools can work together.
Case Study: Managing Access Governance and Security Using SAP GRC in a Highly Regulated Industry
In this case study, presented by Boehringer Ingelheim, the evolution over the last 8 years in user and risk management within the organization was shown. This evolution takes place in a context of high regulatory control, as it is a pharmaceutical company. One of the main challenges is the adoption of a new tool to eventually replace SAP IDM, which will be decommissioned in the coming years.
Compliant User Provisioning from Hire to Retire: How to Streamline, Manage, and Automate User Access Provisioning
The next presentation of the first day was given by James Roeske, who focused on the user provisioning process. After an introduction on best practices and process, emphasizing the importance of not only provisioning accounts but doing it efficiently and ensuring regulatory compliance, SAP GRC tools were shown that meet this objective, such as ARM (GRC AC module for provisioning process automation) or HR Triggers for automating user onboarding and offboarding processes.
The Adventure of Business Use Cases Becoming Real GRC Features and Functions at SAP
As usual, this presentation by Marie-Luis Wagener-Kirchner, responsible for products like GRC Process Control, Risk Management, Audit Management, and others from the Enterprise Risk and Compliance Solutions portfolio, focused on how SAP’s own organization turns internally developed use cases into new functionalities using tools such as Process Control or Risk Management. The presentation highlighted new functionalities now available to customers, including:
- New default dashboards for use in SAC (SAP Analytics Cloud).
- New visualization interfaces (ABAP WebDynpro) and new customization options.
- Integration with Microsoft Word to generate Risk Management reports in that format.
Access Governance: Strategy and Roadmap for the Years to Come
This session, led by Gero Maeder, responsible for the GRC AC and IAG solutions, explained the roadmap for both solutions in the coming years. Beyond the improvements presented, a new version of SAP GRC AC for SAP HANA is confirmed for release in 2026. Thus, the use of a HANA database will be mandatory to have GRC AC.
This confirms that the GRC AC solution is a justifiable investment as the tool will be available on the market for many more years, with support and development by SAP.
Regarding IAG, the main highlight is the (native) integration of new types of systems, and the release to all customers (previously not generally available) of the PAM (Privilege Access Management, also known as Emergency Access or Firefighter) functionality for SAP S/4 HANA Cloud software.
Case Study: Power-Up Your Defences: Leveraging SAP Enterprise Threat Detection – The Legend of Security at Nintendo
In this presentation, the Nintendo team shared their digitalization journey through SAP solutions, starting in 2016 with the implementation of ECC; followed by the migration to S/4 HANA and other implemented solutions. From then on, the organization had no visibility of potentially dangerous events occurring in its system (execution of critical transactions, running debug mode in production environments, etc.).
To address this, they opted to implement the Enterprise Threat Detection (ETD) solution, which automated the identification of such events through defined rules. Subsequently, Nintendo established a manual review process in ETD, where each reported event had to be properly attended to, analyzed, and justified.
Turn Risk into Reward with SAP Enterprise Risk and Compliance Solutions
Again, Marie-Luis Wagener-Kirchner presented the roadmap for the Enterprise Risk and Compliance Solutions portfolio tools, including SAP GRC Process Control and Risk Management. Among the main updates, a new version of GRC PC and RM for SAP HANA is also confirmed for 2026 (which will again require installing SAP GRC on a HANA database), ensuring the tool’s future for the coming years. Additionally, the possibility of the solution being available only in a Private Cloud edition is hinted at, although this is not yet confirmed.
Some improvements are also announced, such as integrations of GRC PC with new systems, like SAP FieldGlass (a cloud-based system).
The Inprosec team identified a paradigm shift regarding AC (confirmed by Marie-Luis) in that SAP GRC PC will be natively integrable with SAP’s public cloud systems, without the need for other middlewares like Cloud Bridge. Additionally, it is confirmed that gradually, new cloud systems will be integrated.
Case Study: Perfetti Van Melle´s Quest Towards an Integrated and Automated GRC Model
This session, led by Marcelo Monsores, focused on showcasing, from a process perspective, the path followed by Perfetti Van Melle´s in improving their access control in SAP systems.
Thus, the company’s roadmap is presented for moving from a starting point with few documented processes, overly broad accesses granting users segregation of duties risks, and low adoption of existing technologies for access control (in this case, SAP GRC AC), to a controlled and sustainable state in terms of access.
Case Study: How to Increase Risk Awareness, Control Adoption, and Visibility – The Vestas Journey to Streamline Financial Compliance Processes
In this case presented by Diego Allera, GRC Senior Specialist, an implementation of SAP GRC PC in the Vestas organization is explained. Initially, the main reasons for undertaking the project are explained, such as the ability to have a single centralized source of information, or the need for a tool that could automate processes that were previously done manually or semi-manually.
Thus, the main reasons for the successful implementation are explained, such as the involvement of senior management, the simplification of their process, and the need to effectively communicate information to all teams.
Finally, at the tool level, the technical solutions adopted are explained, such as MCP (Manual Control Performance) for documenting control execution, ToE (Test of Effectiveness) to determine the effectiveness of the control; and the use of CCM (Continuous Control Monitoring) to automate certain controls.
Harness The Power of SAP GRC Across Your Entire Landscape, Options for Cloud and Non-ABAP Systems
In this new session by James Roeske, an account of the different options customers have for effective access control across their entire application environment, both SAP On-Premise, SAP Cloud, and even non-SAP, is provided.
For this, the different solutions are presented:
- The well-known SAP GRC AC
- SAP IAG, both as a single solution mode and as a bridge mode to extend SAP GRC AC to Cloud environments.
- Third-party solutions to extend SAP GRC AC to cloud environments.
- File analysis, allowing risk analysis for non-SAP systems from GRC AC.
Get hands-on security recommendations for your SAP BTP Environment
In this case, it was not a presentation, but a real working session. In it, the Inprosec team was able to work on the security of the SAP BTP environment, from setting password policies, configuring two-factor authentication, creating users and roles, and reviewing audit logs to identify events occurring in SAP BTP.
Case Study: How to Regain Control Over SAP User Authorizations and Remediate SoD Violations – The Vestas Journey to Secure Segregation of Duties.
In this session, presented by Vestas, the process followed to move from an initial situation, in which control over the number of existing risks in the system had been lost, with overly broad accesses, to a controlled scenario, is recounted.
For this, a proprietary risk matrix was developed, given that SAP’s standard risk matrix did not cover all of Vestas’ requirements. Next, the necessary access model for Vestas was defined, opting for a business roles model, based on technical roles grouping transactions used by users in functionalities.
Finally, the collaboration with all teams to achieve the greatest possible refinement of these roles is highlighted, ensuring that they never had internal risks of segregation of duties.
We conclude this summary by extending sincere thanks to the organization of the SAP event in Copenhagen. Their dedication and effort in bringing together experts and leaders in the sector have been fundamental to deepen our knowledge of SAP solutions and governance strategies. These days have been not only informative but also inspiring, marking the path towards innovation and efficiency in our business practices. Thank you for an enriching and valuable experience.
