With the latest release of SAP Governance, Risk and Compliance (GRC) in version 12 multiple new functionalities were added to its Access Control (AC) module. Integration with SAP Identity Access Governance (IAG) for hybrid risk analysis and user provisioning scenarios, improved user experience with the introduction of Fiori apps, extended functionalities for HANA, new rulesets for Fiori and S/4HANA plus more integration options with SAP Identity Management (IDM) are among the highlights. Additionally, the old GRC version 10.1 is set to go out of maintenance as of 31.12.2020. When you add on top the lack of enough information about the specifics of GRC Access control and IDM, it is only natural that questions started popping up. Is it time to move to another product? Is IAG the right tool for our company? Do we continue using SAP IDM, or rather bet everything on the new SAP GRC? Can GRC AC cover everything, which IDM can? It is not the first time in the SAP world certain functionalities to overlap between different applications, however thorough analysis is always necessary before rushing into final decisions. So, let’s try to clear the picture.
We will first compare the major technical functionalities of the products, followed by a more business-oriented analysis of the future perspectives.
The table below gives a summary of the most important aspects:
| Feature/Functionality | SAP IDM 8.0 SP7 | SAP GRC AC 12.0 SP10 |
|---|---|---|
| Supports Employee sync | HCM / SuccessFactors | HCM / SuccessFactors |
| Provisioning | Yes | Yes |
| Access request | Yes | Yes |
| Approval workflows | Yes | Yes |
| Custom processes/workflows | Yes | Yes |
| Audit trail | Yes | Yes |
| Role usage reporting | No | Yes |
| Automatic business role assignment | Yes | Yes |
| Business role management | Yes | Yes |
| User Access Review (Attestation) | Yes | Yes |
| Access risk analysis, remediation, and mitigation | No | Yes |
| Emergency Access Management (Firefighter) | No | Yes |
| User interface | Web Dynpro (Fiori possible with partner solutions) | Fiori apps |
| Hybrid scenarios | Yes | Yes |
If we take provisioning, both have their preferred target systems, to which they can connect out of the box, while there are others, which require either some customizing or even purchasing/developing additional connectors.
In terms of user experience SAP GRC took first the step to Fiori and delivered new user interfaces for the end user functionality. SAP IDM most probably will follow-up shortly on this, but currently their standard interface is still based on Web Dynpro. This plays a role once we touch on the self-service requests, where the user experience differs drastically in favor of SAP GRC.
SAP GRC relies on SAP Business Workflow for their approval processes, while SAP IdM has its own proprietary workflow engine. Both offer the option to build custom processes, not related to approvals. Additionally, out of the box, SAP IdM supports also the so-called basic approval of master data, which is not available through SAP GRC.
Both products enable hybrid scenarios –IDM through the connection to the SAP Cloud Platform Identity Services: Identity Provisioning (IPS) and Identity Authentication (IAS), and GRC through the connection to IAG. They can also build and distribute business roles and have attestation capabilities.
IDM is not able to make a low-level breakdown of ABAP system permissions, whereas GRC AC can access those on the level of transactions and authorization objects. This also brings the benefit of reporting on the role usage in the respective ABAP systems, which is something IDM does not offer out of the box. GRC supports a functionality called Firefighter, which allows to enable power users for a short period of time. Those users have excessive permissions in the system not usually granted to normal users. For the time they are active the system writes extended log for every single operation performed by them.
From the quick technical comparison someone might argue that GRC AC is more complex and functionality-rich than IDM. However, this does come at a price. The license for GRC is far more expensive than the one for IDM. Price is not the only factor of course, there are other important considerations, too.
Both IDM and GRC have been on the market for quite some time and it is very unlikely for customers with adequate user access strategy to have neither IDM, nor GRC in their SAP landscape (although we will discuss such scenario as well). Most have the one or the other, some have both. So, let's see what options those enterprises have in front of them:
Adapting to the ever-changing requirements of the market means companies need systems that evolve along with the proper speed and agility. Technical challenges should not set you back. Instead they should be used to thrive innovation and move the enterprise to the next digital level, where those challenges are not blockers anymore, rather enablers.
Below is my "perfect world" picture, where SAP IDM and SAP GRC co-exist together in a hybrid, digital world, which is adaptable, intuitive and automated.
Hybrid landscape can cover most of the enterprises nowadays since they are at a stage where they have not yet moved completely to the cloud, their on-premise landscape is still more important, but innovation and pace of changes have already pushed them in the direction of the cloud.
The on-premise world consists of numerous ABAP systems, which include S/4HANA, GRC and others. GRC is connected to all SAP ABAP systems and to IDM for business role synchronization and provisioning. Additionally, IDM is used to connect to Active Directory, which is the bridge to multiple other applications, which rely on AD for authentication and authorization. Other 3rd party non-SAP systems are also connected and provisioned from IDM.
On the cloud side, IDM is connected to IPS, which has a number of proxy systems maintained to cloud solutions like SAP SuccessFactors, S/4HANA Cloud and other SCIM enabled ones. The enterprise is using Microsoft Office 365, which is connected to the backend Active Directory through a replication to Azure AD, which is also connected to IAS as a cloud identity provider, making sure that all employees have access to enterprise applications using one and the same credentials.
IAG is also present in the cloud and connected to the on-premise GRC for a richer set of functionalities. It actively uses three other services on the SAP Cloud Platform - the Workflow Service - for handling the approval workflows, the Business Rules Service - for controlling automated decisions using Excel-like tables and the Provisioning Service – for connecting to the cloud target systems. The access to these is facilitated using the Portal service. We complete the picture with a unified custom self-service layer running in the cloud, which offers an intuitive SAP Fiori interface integrated with chatbot functionality. Based on AI algorithms, the interface can correctly categorize the request and send it to the proper workflows/systems for processing, thus hiding the underlying complexity from the end user, whose sole purpose is to receive the requested access as soon as possible and as transparently as possible.
Do not consider this landscape as a project created in one go. This is a holistic strategy to make the company future-proof. So, splitting it into multiple small steps, which are successfully completed one after the other will provide better sense of where you are going and if you need to adapt the course along the way.