Knowledgebase  »  Volume 2 (2009)  »  Update 6

Make Identity Management Sarbanes-Oxley-Compliant by Leveraging Integrated SAP Solutions  

by Frank Rambo, Director, Regional Implementation Group (RIG) EMEA, SAP GRC (June 2009)

Categories: Compliance, Regulations, SAP BusinessObjects Access Control (former Virsa tools), SAP NetWeaver Identity Management, Sarbanes-Oxley

Access Control, GRC Access Control

Key Concept

SAP BusinessObjects Access Control 5.3 comes with a product capability for approval workflows and access provisioning called Compliant User Provisioning (CUP) and a Web service-based interface. This interface allows for the creation of access requests in CUP triggered by external systems. IDM solutions can use this interface to forward entitlements for ERP systems to CUP, where compliance managers can perform detailed risk analysis and mitigation before the entitlements are provisioned in the target systems.

Enterprises have to be highly flexible to adapt to change and take advantage of new business opportunities. This creates pressure to rapidly deploy new applications and systems, and expose them internally and externally to employees, partners, and customers. In such an environment, information on identities — employees, partners, and customers — relevant for business processes and applications is spread across heterogeneous and incompatible sources coming with different data formats and access protocols. This lack of a central source for identity information leads to inconsistent and out-of-date information, which in turn weakens overall information security and reduces efficiency of key processes, such as on-boarding of employees or provisioning of required access permissions to customers and business partners.

The prime objective of identity management (IDM) is to overcome these deficiencies, centrally manage all identity data, and ensure high data quality. Another important requirement enterprises must meet is to comply with regulations such as the Sarbanes-Oxley Act, which deals with identification and prevention of access- and authorization-related risks. These legal requirements directly affect provisioning of access privileges to business applications. You need to implement appropriate mechanisms to prevent access to business transactions that in combination represent a violation of segregation of duties (SoD) risks. These mechanisms require complex and detailed rules for risk identification in complex business applications from multiple vendors such that they remain beyond the scope of IDM solutions. Consequently, there is currently no single product for compliant IDM available in the market delivering efficient provisioning of identity data and access privileges as well as Sarbanes-Oxley compliance across a heterogeneous system landscape.

However, you can combine SAP BusinessObjects Access Control 5.3 with IDM solutions to provide an efficient solution for Sarbanes-Oxley-compliant IDM across a heterogeneous system landscape. After an overview of the product capability Compliant User Provisioning (CUP) and its Web service-based interface to IDM solutions, I’ll continue with an introduction to SAP NetWeaver Identity Management 7.1, which represents a powerful combination of the meta-directory and virtual directory concepts. Using the example of SAP NetWeaver Identity Management, I’ll describe a scenario in which you can combine these SAP products to create a highly automated and SAP ERP Human Capital Management (HCM)-integrated solution for Sarbanes-Oxley-compliant IDM.

Let’s start with a couple of technical concepts upon which most IDM solutions are based.

Copyright © 2010 Wellesley Information Services. All rights reserved. Email: customer.service@grcexpertonline.com.
GRC Expert, 20 Carematrix Drive, Dedham, MA 02026, USA.
Sales and Customer Service: 1-781-751-8799
SAP and the SAP logo are trademarks or registered trademarks of SAP AG in Germany and several other countries.