Compliant Identity Management Processes Can Do More

How to Control Authorization Usage for License Compliance

Identity management is a critical component of governance, risk, and compliance (GRC) efforts. To reduce fraud and reduce audit results, companies need to ensure that proper authorizations are in place. SAP’s solutions for GRC and identity management meet this need with tight integration that allows companies to use them in concert to organize and manage their SAP accounts and authorizations.

When used together, SAP Identity Management provides the appropriate workflows for requesting and approving users while SAP Access Control checks whether expanded or changed authorizations at the user level represent a risk for the company — in other words, it performs segregation of duties (SoD) checks. For authorization changes at the user level, SAP Identity Management ensures that users receive the new authorizations required to carry out business processes.

In some cases, however, a user may be technically compliant while also having too many authorizations, including ones that the user’s role does not or no longer requires. This scenario underscores why companies should expand their compliant identity management (CIM) processes to better monitor authorization use — and better manage licensing. 

Compliant Identity Management

With CIM processes in place, if authorizations are no longer used they can be automatically withdrawn or removed from the relevant SAP roles. This type of process would also be favored by auditors because it is an automated way to keep authorizations to a reasonable number.

The same concept can also be used to ensure license compliance. Users may require different license types depending on their roles and authorizations. For example, say a user has an “SAP worker user” license, but also must be able to create sales orders. The user would need an authorization for transaction VA01, which would require an upgrade to an “SAP professional user” license. The company can use CIM to anticipate this situation and prevent noncompliance. An external software asset management (SAM) server evaluates license assignments against overall license requirements before any authorizations are changed (see Figure 1).

Figure 1 — A SAM server works with connected systems directly or via SAP Identity Management to reduce license and compliance risk

The SAM server has access to all connected systems, either directly or via the SAP Identity Management server. It handles all SAP licenses, non-SAP licenses to other vendors’ solutions, and SAP licenses for indirect SAP software use. Authorization use is monitored on the SAM server, and changes to licenses and costs are calculated and simulated promptly. If the SAM server determines that the company does not have enough SAP licenses in its inventory, the purchasing department or license manager is informed automatically. The organization will always be compliant in terms of licenses.

For more, contact me at or 1-617-307-7733, or visit our US office at 113 Braintree St., Ste. 703, in Boston.