18-06-2015

The Next View, a specialist in the field of SAP Identity Management, and Intregrc, specialist in Governance Risk and Compliance, often get asked what the differences are between SAP Identity Management (IdM) and SAP GRC Access Control (GRC AC). This is the reason that we recently hosted an event on this subject for our customers. In this blog you will read the questions and their subsequent answers.

SAP Identity Management vs SAP GRC Access Control

SAP offers two different solutions for user provisioning, security and user access to systems. These are:

  • SAP NetWeaver Identity Management = a strategic tool that allows you to manage user IDs, grants users access to data according to their roles and manage passwords with self-service and approval workflows.
  • SAP GRC Access Control (Governance Risk & Compliance) = a solution that allows you to automatically detect, remediate and prevent access risks.

Both of these solutions can operate in isolation, but are more effective when integrated, and this is why…

Tip! Read this customer story of the Dutch Tax Authorities that have implemented SAP Identity Management.

 

Why does SAP offer 2 solutions for 1 problem?

To understand why it’s best to use an integrated approach you must first look at why SAP offers two different solutions to solve one challenge. The core requirement for user provisioning is that one solution, in this case SAP IdM and/or SAP GRC Access Control, has to integrate with all SAP and non-SAP systems in your organisation or at least integrate with the systems you want to manage users or detect compliancy issues.

There are a lot of standard integration possibilities, in particular for SAP-to-SAP integrations, but it is still time intensive for IT and the business. In short, SAP has developed two tools that both address the same challenges but from different perspectives. Depending on your situation, your role in the organisation and the issue you’re trying to solve you should choose one to start with.

We, Integrc and The Next View, see a lot of our customers that have implemented SAP GRC Access Control or SAP Identity Management, and decide to add the other product to their roadmap. They come across additional desired functionalities. Those that use IdM, desire SAP GRC Access Control for the ‘risk analysis’ component and for those using SAP GRC Access Control, they want IdM’s ‘managing identities of users’ functionality.

  
Left: a screenshot of standard SAP Identity Management. Right: Identity Management with responsive SAPUI5 screens, as used at one of our customers.

Integrating between SAP GRC AC and SAP IdM

According to Kristian Lehment, Senior Product Manager of SAP’s Security portfolio, the integration of SAP GRC and IdM is the most exciting part of the security roadmap. “We are continuously working to integrate the two products together. Yet despite the overlap between the products, they shall never fuse to become one product, since many customers use just one,” says Kristian.

The integration of both SAP GRC Access Control and Identity Management is called Compliant Identity Management.

What’s the ideal roadmap when implementing Access Control and Identity Management?

Henk Peter Wind, SAP GRC expert and director at Integrc, states that you first step is to make all goals concrete. What do you want to achieve in  implementing these solutions?  “If you aim to identify compliance issues, we recommend that you implement SAP GRC Access Control first. However, if you want to be able to manage identities (IDs), it’s best to implement SAP Identity Management first,” says Henk Peter.

In the situation of a greenfield, you generally start with SAP Identity Management, although it is still dependent on the situation. SAP IdM helps to clear up confusion in roles and usernames. Prior to the implementation of the solution you must have a clear user base. After this you can implement SAP GRC Access Control for compliance.

Two integration scenarios for Compliant Identity Management

There are 2 different scenarios in which you can implement GCR Access Control into Identity Management:

  1. The first scenario states that SAP Identity Management is the basis for all provisioning activities. Only when a risk assessment is required, IdM will allow SAP GRC Access Control to take over. This is done via a web service call. IdM asks GRC to check for risks during provisioning. The authorisations are defined in Identity Management and the rules concerning the separation of duties (SoD) are defined in Access Control.
  2. The second scenario states that SAP GRC Access Control is the basis for provisioning and risk analysis of the SAP systems. SAP Identity Management is deployed only to manage identities, or for the provisioning of non-SAP systems.

SAP offers two products for user provisioning. SAP GRC Access Control and Identity Management can be used individually but can also be joined, in which use is made of the strongest features of both. This is how you achieve one Compliant Identity Management solution.