Saving valuable resources, removing risks, and creating a faster and smoother employee experience
If you follow best practice, or are required to be SoX compliant, then you will have to perform an Employee Access Review and Recertification at least once per year to ensure that your employees access is commensurate with their job/position.
But how unbelievably painful are these to do manually? Not just reviewing people with SAP access but also having to review all of the other systems that they have access to.
With automated Access Review and Recertification, gone are the days of manually pulling access reports out of SAP, then trying to translate technical role names or T-codes into business terminology that would actually mean something to a reviewer, such as, can they approve a purchase order, or create a sales order?
Our automation can map technical ‘objects’ to business terminology, map access and capabilities to role owners or business process owners, and provide reviewers with a simple to use web portal to review employees’ access to the areas of SAP that they own. Reviews can be as granular as you like and can run on automated schedules.
A live dashboard can spot hold ups or delays within a particular review and can initiate eMail chasers and/or escalations.
Every organisation has Process Controls such as checking which accounts have ‘superuser’ access or checking that the SAP live client is closed every day so that updates cannot be made to a production SAP system.
Most of these checks tend to be simple to-do lists, often in Excel, that get checked off as each task is done. Unfortunately Auditors these days are not going to be happy with such an easily abused process - they want to see uneditable evidence and they want to see real Process Control owners using digital signatures to sign-off a particular report or to confirm that a control check has been completed.
This is why our customers love ProfileTailor Process Controls where each process control has an ‘owner’ who is automatically sent a ‘sign-off’ request along with an automatically generated report for them to check - such as a list of all accounts who can approve Purchase Orders over £10,000.
An uneditable copy of each Process Control report is stored digitally as evidence along with a complete audit history of each Process Control.
Like all key parts of ProfileTailor Dynamics security, there is a special dashboard to monitor Process Controls which can even send out automatic chasers to Process Control owners that have not completed a check within a certain timeframe.
Every person working in SAP Security and Audit often spends an inordinate amount of time processing new user requests, new authorisation requests, changes to employees, and processing leavers. It is also fair to say that slow on-boarding a new employee can often be a frustration to their manager and de-moralising for the new employee.
Our Employee Lifecycle Workflow Engine can not just automate these processes within SAP, but across the landscape, including Active Directory, Office 365 and even cloud systems such as SalesForce - Just taking into account an automated leaver process, you want to ensure that the departing employee has their access locked everywhere. Automated employee change triggers can be picked up from HR systems such as SAP HCM, SuccessFactors or WorkDay so that access can be instantly changed or removed accordingly.
Automating starter. mover, leaver processes not only gives a huge amount of time back to your security and authorisations team, but it massively improves your IT security by ensuring that employees access is always commensurate with their job role. Financial savings are not only gained from saving the time of highly skilled resources but also from relinquishing expense licence assets back into the inventory.
Giving employees self-service access to some common requests provides some very quick but effective time savers - for both the employee and the Security team. A great example of this is self-service password reset which we can implement incredibly quickly and securely using either single-factor or multi-factor authentication. New authorisation requests can also easily be made self-service, with automated approval steps, automated segregation of duties analysis, and automated role provisioning - essentially providing and end-to-end business process without any involvement from the security team.
Although Emergency Access automation also comes under the banner of ‘self-service’ we have listed it separately as it often at the very top of the list of self-service workflows, often at the insistence of auditors but also because it can be very time consuming to use a manual process. Emergency Access also has some special automation requirements such as linking in with service ticketing systems (such as ServiceNow) and having the ability to log detailed activity whilst the user is using Emergency Access.
If you would like to learn more about how we can automate many of your SAP security processes then please contact us at info@greymonarch.com or complete the contact form via the below link.
Learn More about ProfileTailor Dynamics