GRC Access Control Implementation

Client Profile

Location: Malaysia

Industry: Utilities

The client is a state-owned utilities provider. It generates and distributes electricity for the whole state.

The client operates in a highly-regulated industry and wanted to improve and streamline its SAP access risk management.
The client had purchased licenses for SAP GRC Access Control (AC). They required services to implement the product to its full extent.
The client had an established high-level SAP rulebook (i.e. a list of segregation of duties and critical access risks which should be managed). This rulebook was based on their business process risk framework documents and was not implemented or monitored in practice.
The SAP system had over 2,400 users and 9 SAP modules. Each module was managed by a specialist team.
The project was carried out in two phases. The first phase aimed to clean up any access risk violations and implement the ARA and EAM modules. The second phase aimed to implement the ARM and BRM modules as well as their supporting processes.

To create a detailed access risk rulebook based on the client’s existing high-level rulebook. The resulting updated rulebook should contain all relevant authorisation objects and allow it to be use for uploading into the client’s ARA (Access Risk Analysis) module.
To achieve compliance with the above-mentioned rulebook, i.e. to achieve a state of managed segregation of duties and critical access risks in their SAP system.
To automate the process of access rights provisioning to users and roles.
To achieve a well-controlled privileged, emergency access into SAP.

There was no well-defined procedure to restrict, document and monitor the use of privileged access into SAP. The only documentation which existed in order to indicate the use of privileged access was on a ticketing tool.
User provisioning was often delayed due to the non-availability of approvers.
Role changes were implemented in SAP before approval. Approval was only sought afterwards.

Subject matter expertise in the area of SAP audit, security and controls with decades of experience in this area.
A multi-disciplinary team comprising of consultants with backgrounds in audit, security implementation and maintenance.
GRC product expertise resulting from activities as a Certified SAP Partner and a leading specialist for the deployment of SAP GRC solutions in various large and medium-sized enterprises.
The availability of our own GRC AC lab, as well as specific tools and content to accelerate the configuration of GRC AC. This enabled us to start configuration activities significantly in advance of the commissioning of required hardware by the client. Effectively, this allowed the timeline of the implementation to be reduced as various activities could take place simultaneously.

User access analytics was performed in order to assess the compliance of existing users and roles against the client’s updated rulebook. Based on the result, cleanup activities were performed, leading in well-managed, improved roles and role assignments to users.
The integration of GRC AC system with other SAP environments allowed process automation to be achieved.
Email reminders and notifications were setup according to a defined hierarchy of approvers, allowing for a more efficient approval process.
Changes to roles were configured to require an approval through the automated role approval process.
Automated user access provisioning process with an automated risk analysis process built-in to ensure that compliance was properly considered and managed.
User access provisioning workflow was customised to allow for specific client requirements to be achieved.
Well-defined privileged access management was established, documented and implemented through the use of EAM (Emergency Access Management) module.
Change management of stakeholders and end-users through close interaction and collaboration with project sponsors and individuals on the ground.
Training was provided to all relevant stakeholders and users, which led to widespread awareness and knowledge, effectively allowing for the new processes to take place smoothly as part of business-as-usual operations.

An improved risk management process and cost savings due to increased efficiency.
An improved response time (within a day) for user changes to be implemented through the use of ARM (Access Request Management) module.
Emergency access is now provided through the use of Firefighters, which allows for a well-controlled restriction of privileged access and detailed documentation.
Role changes are approved by all relevant stakeholders, including functional stakeholders.