A battle of giants or the perfect combination?

A story by Todor Petrov

With the latest release of SAP Governance, Risk and Compliance (GRC) in version 12 multiple new functionalities were added to its Access Control (AC) module. Integration with SAP Identity Access Governance (IAG) for hybrid risk analysis and user provisioning scenarios, improved user experience with the introduction of Fiori apps, extended functionalities for HANA, new rulesets for Fiori and S/4HANA plus more integration options with SAP Identity Management (IDM) are among the highlights. Additionally, the old GRC version 10.1 is set to go out of maintenance as of 31.12.2020. When you add on top the lack of enough information about the specifics of GRC Access control and IDM, it is only natural that questions started popping up. Is it time to move to another product? Is IAG the right tool for our company? Do we continue using SAP IDM, or rather bet everything on the new SAP GRC? Can GRC AC cover everything, which IDM can? It is not the first time in the SAP world certain functionalities to overlap between different applications, however thorough analysis is always necessary before rushing into final decisions. So, let’s try to clear the picture.
We will first compare the major technical functionalities of the products, followed by a more business-oriented analysis of the future perspectives.
The table below gives a summary of the most important aspects:
Feature/Functionality SAP IDM 8.0 SP7 SAP GRC AC 12.0 SP10
Supports Employee syncHCM / SuccessFactorsHCM / SuccessFactors
Access requestYesYes
Approval workflowsYesYes
Custom processes/workflowsYesYes
Audit trailYesYes
Role usage reportingNoYes
Automatic business role assignmentYesYes
Business role managementYesYes
User Access Review (Attestation)YesYes
Access risk analysis, remediation, and mitigationNoYes
Emergency Access Management (Firefighter)NoYes
User interfaceWeb Dynpro
(Fiori possible with partner solutions)
Fiori apps
Hybrid scenariosYesYes

Most of the functionalities are available in one way or another from both products

If we take provisioning, both have their preferred target systems, to which they can connect out of the box, while there are others, which require either some customizing or even purchasing/developing additional connectors.
In terms of user experience SAP GRC took first the step to Fiori and delivered new user interfaces for the end user functionality. SAP IDM most probably will follow-up shortly on this, but currently their standard interface is still based on Web Dynpro. This plays a role once we touch on the self-service requests, where the user experience differs drastically in favor of SAP GRC.
SAP GRC relies on SAP Business Workflow for their approval processes, while SAP IdM has its own proprietary workflow engine. Both offer the option to build custom processes, not related to approvals. Additionally, out of the box, SAP IdM supports also the so-called basic approval of master data, which is not available through SAP GRC.
Both products enable hybrid scenarios –IDM through the connection to the SAP Cloud Platform Identity Services: Identity Provisioning (IPS) and Identity Authentication (IAS), and GRC through the connection to IAG. They can also build and distribute business roles and have attestation capabilities.

Where GRC and IDM differ significantly is the level of detail with which they can handle ABAP roles

IDM is not able to make a low-level breakdown of ABAP system permissions, whereas GRC AC can access those on the level of transactions and authorization objects. This also brings the benefit of reporting on the role usage in the respective ABAP systems, which is something IDM does not offer out of the box. GRC supports a functionality called Firefighter, which allows to enable power users for a short period of time. Those users have excessive permissions in the system not usually granted to normal users. For the time they are active the system writes extended log for every single operation performed by them.
From the quick technical comparison someone might argue that GRC AC is more complex and functionality-rich than IDM. However, this does come at a price. The license for GRC is far more expensive than the one for IDM. Price is not the only factor of course, there are other important considerations, too.
Both IDM and GRC have been on the market for quite some time and it is very unlikely for customers with adequate user access strategy to have neither IDM, nor GRC in their SAP landscape (although we will discuss such scenario as well). Most have the one or the other, some have both. So, let's see what options those enterprises have in front of them:
  • Enterprises, which have both SAP GRC and SAP IDM - this is the best possible starting position, because it gives a lot of possibilities for future growth. If those two are not integrated in terms of risk analysis and/or business role synchronization, then the first thing is to make them talk. This is a simple and yet very rewarding integration, which brings valuable insights about company’s identities and systems. Next, if integration is already up and running, then the company can look at the cloud and start the inevitable transition. The benefit here is that everything established so far can be reused for the purposes of other cloud-enabled systems with minimum effort and customization. This challenge can be approached in 2 ways: through IAG or through the SAP Cloud Platform Provisioning Service.
  • Enterprises, which have one of the two  - this option has served loyally to many companies throughout the years. For different reasons however some started exploring the option to replace the existing solution in their landscape with the other (most often IDM with GRC). Without outward rejecting it, our team believes such replacement will hardly bring anything good to your SAP landscape, apart from a big and complex project. The solution in place, no matter if IDM or GRC, has been running for a long time in company’s landscape and it has its established ways of processing information, approvals, self-service requests, reporting, etc. All those will need to be recreated in the new solution since both cannot reuse the same connectors, the same workflows, the same user interfaces, etc. On top loads of valuable historical data would require migration. Too many things that can go wrong. A far more meaningful approach would be to build on top of the existing on-premise landscape and either add some risk analysis functionalities on the side (e.g. with GRC or IAG) or enable hybrid scenarios by connecting to IAS and IPS.
  • Enterprises, which do not have neither GRC nor IDM - this is the option with the most freedom of choice. Depending on the existing landscape, it could make sense to invest only in cloud solutions like IAG and SAP Cloud Identity Services, or if on-premise is heavily present, then it might be worth including in the portfolio GRC and/or IDM. Here, probably the argument for and against one or the other product will be the most heated since no one wants to implement two products with similar purpose. Keep in mind though that the two products are profiled and perform better than the other in certain areas. IDM is known as a pure IAM solution that can quickly get you up and running with your internal and external identities, connecting multiple backend systems for provisioning at a relatively low cost. On the other hand, GRC would be the heavier, more customizable, and more powerful (but also more expensive) solution. Another important aspect will inevitably be the availability of skillful resources since both products require people with different expertise.

Adapting to the ever-changing requirements of the market means companies need systems that evolve along with the proper speed and agility. Technical challenges should not set you back. Instead they should be used to thrive innovation and move the enterprise to the next digital level, where those challenges are not blockers anymore, rather enablers.
Below is my "perfect world" picture, where SAP IDM and SAP GRC co-exist together in a hybrid, digital world, which is adaptable, intuitive and automated.

I believe in the hybrid landscape, which utilizes the best of both worlds

Hybrid landscape can cover most of the enterprises nowadays since they are at a stage where they have not yet moved completely to the cloud, their on-premise landscape is still more important, but innovation and pace of changes have already pushed them in the direction of the cloud.
The on-premise world consists of numerous ABAP systems, which include S/4HANA, GRC and others. GRC is connected to all SAP ABAP systems and to IDM for business role synchronization and provisioning. Additionally, IDM is used to connect to Active Directory, which is the bridge to multiple other applications, which rely on AD for authentication and authorization. Other 3rd party non-SAP systems are also connected and provisioned from IDM.
On the cloud side, IDM is connected to IPS, which has a number of proxy systems maintained to cloud solutions like SAP SuccessFactors, S/4HANA Cloud and other SCIM enabled ones. The enterprise is using Microsoft Office 365, which is connected to the backend Active Directory through a replication to Azure AD, which is also connected to IAS as a cloud identity provider, making sure that all employees have access to enterprise applications using one and the same credentials.
IAG is also present in the cloud and connected to the on-premise GRC for a richer set of functionalities. It actively uses three other services on the SAP Cloud Platform - the Workflow Service - for handling the approval workflows, the Business Rules Service - for controlling automated decisions using Excel-like tables and the Provisioning Service – for connecting to the cloud target systems. The access to these is facilitated using the Portal service. We complete the picture with a unified custom self-service layer running in the cloud, which offers an intuitive SAP Fiori interface integrated with chatbot functionality. Based on AI algorithms, the interface can correctly categorize the request and send it to the proper workflows/systems for processing, thus hiding the underlying complexity from the end user, whose sole purpose is to receive the requested access as soon as possible and as transparently as possible.
Do not consider this landscape as a project created in one go. This is a holistic strategy to make the company future-proof. So, splitting it into multiple small steps, which are successfully completed one after the other will provide better sense of where you are going and if you need to adapt the course along the way.

© Copyright 2023 ROIABLE. All Rights Reserved.