compliant sap access management - xiting

Compliant SAP Access ManagementTraining and Access Risk Integration

Daniel Gallego

Presentation title, date, author 2

• Family-owned pharmaceutical company

• Founded 1885 in Ingelheim, Germany

• Focus on Human Pharma, Animal Health and Biopharmaceutical Contract Manufacturing

• Around 51,000 employees worldwide

• R&D expenses of almost EUR 3.5 billion

• 28 R&D sites worldwide for Human pharmaceuticals and Animal Health

• Net sales of EUR 19 billion

• 175 affiliated companies worldwide

• Investment in tangible assets: EUR 1,073 million

Status: 31.12.2019

Boehringer Ingelheim in brief


Features5

3 Integration of Training Compliance (LOS/SF)

1 Simplify SAP AM using Business Roles

2 Results QG3 – Update Open pointsHow to define compliant SAP AM Approval Workflow

4 Integration of Access Risk Compliance (SAP GRC AC)

Agenda


Role 3

What is a SAP IdM Business Role?

It’s a container for

1. SAP application roles

2. Other attributes that can be used for workflow process steps or other process steps Role 2

Role 1

A

Role 1

B

Role 2

Role 1

C

Approver Training

SAP IdMBusiness Role

Simplify SAP AM using Business Roles


Simplify SAP AM using Business Roles

Role 1

Role 2

Ariba

1. Reduce complexity of application roles

2. Reduce redundant requests for different systems

MISSION

Role 1

Global SAP ERP

Role 1

Global SAP BW

Role 1

MDG

Role 1

SolMan



How to define a compliant SAP AM Approval Workflow

1. Automatize manual processesa) Provisioning of users to SAP

systemsb) Trainings compliance related

to SAP access

2. Improve compliance (e.g. leavers, traceability)

3. Prevent access risks

MISSIONTraining

Compliance SoD

Audit

Organization

GxP

Roadmaps

Costs


Boehringer Ingelheim Central user directory

SAP Identity Management

Web-basedUser Interface(Standard SAP

Portal)

User Master Data

Role request

Manager approval

End of Workflow

Yes

End of Workflow

No

SAP BackendSystems

SAP BackendSystems

BackendSystems

Role Owner

approval

End of Workflow

No

Yes

LOS checkGRC checkGRC critical risk analysis

End of Workflow

Yes

How to define a compliant SAP AM Approval Workflow


Integration of Training Compliance (LOS/SF)

LOS check • Custom integration with End-user training platform Learning One Source (LOS)

• Automatic LOS curricula assignment (and removal)

• Full traceability between SAP IdM and LOS

• Part of Successfactors

Training



Integration of Access Risk Compliance (SAP GRC AC)

GRC check • Custom GRC integration to enable preventive access risk check

• Automatic rejection for requests generating access risks with risk level critical

• GRC mitigation workflow for access risks with risk level high


SAP ERP

User


Features – SAP IdM UI5

Role request process in user friendly shopping cart mode

Intuitive approval UI


Features – User Access Review

Automated yearly SAP User Access Review with integrated

reporting


Features – Firefighter Requests

Same entry point for SAP Firefighter requests

Boehringer Ingelheim Central user directory

SAP Identity Management

Web-basedUser Interface(Standard SAP

Portal)

User Master Data

FF request

Manager approval

End of Workflow

Yes

End of Workflow

No

SAP GRCRole

Owner approval

End of Workflow

No

Yes

LOS check


Outlook – Other

• Finalize hybrid scenarios (IPS/IAS via BTP)

• Identify requirements for cross-system access risks

• Extend Self-service for Businessrole Change Management

• Investigate automatization for technical users

compliant sap access management - xiting

Documents