SAP Identity Management Practices

Why identity management matters

SAP identity management is the operating layer that provisions, modifies, and deprovisions user accounts across the SAP landscape. Without disciplined identity management the customer accumulates orphan accounts, missed leaver entries, and inconsistent account state between SAP systems. The accumulation appears in external audit as a control weakness in the joiner mover leaver process and creates exposure when leavers retain access beyond the termination date.

This article documents the architecture design, the joiner mover leaver discipline, the single sign on framework, and the audit defensible identity posture. Reference the SAP security audit pillar, the user access review process, and the GRC and security expertise.

Architecture design

Identity management architecture rests on three layers. The authoritative source publishes the workforce data. The identity management platform translates workforce data into account state and authorization assignment. The connector layer pushes account state into each SAP system. The customer position is to design the architecture so that HR is the authoritative source for workforce data and the identity management platform is the authoritative source for account state and authorization assignment. SAP systems are downstream consumers.

Reference the GRC implementation analysis, the role design methodology, and the authorization concepts analysis.

Joiner mover leaver discipline

The joiner mover leaver discipline is the operating rhythm that processes workforce events. Joiner creates the account and grants the role for the new hire. Mover updates the role assignment when the employee changes position. Leaver disables the account and removes the role at termination. The customer position is to drive every event through the identity management platform with a documented service level. Leaver within 24 hours of termination is the audit defensible target. Mover within 5 business days of position change.

Reference the user access review process, the SoD conflicts analysis, and the privileged access analysis.

Leaver processed within 24 hours of termination is the single most leveraged identity control. The 24 hour service level converts the leaver risk from an open ended exposure into a bounded operating metric.

Single sign on framework

Single sign on (SSO) reduces password risk and improves the user experience. SAP supports SAML, Kerberos, and SAP logon ticket frameworks. The customer position is to standardize on SAML against the enterprise identity provider for human users and to maintain SAP logon ticket for backend integration where SAML is not technically feasible. The framework choice drives password policy. Where SSO is universal the SAP password becomes a fallback used in emergency only and the password policy can be set accordingly strict.

The detail is in our license audit pillar (cross cluster reference for the named user implication of SSO and password policy), the basis security analysis, and the cybersecurity analysis.

Audit defensible identity posture

The audit defensible identity posture has four components. First, the architecture with HR as authoritative source and identity management as authoritative for account state. Second, the joiner mover leaver discipline at the documented service level. Third, the single sign on framework standardized on SAML for human users. Fourth, the quarterly user access review that recertifies role assignment. The four components together survive external auditor walkthrough and SoX testing.

The implementation detail is in our GRC implementation analysis, the user access review process, the privileged access analysis, and the compliance framework pillar. The GRC and security expertise documents the full senior advisor methodology.