By Fred Donovan, Senior Editor, SAPinsider
As the COVID-19 pandemic raged across the world in 2020, French pharmaceuticals maker Sanofi was one of the companies working to develop vaccines for the highly contagious disease.
At the same time, Sanofi was working with Accenture and KPMG to migrate from SAP ERP Central Component System to SAP S/4HANA and consolidate and optimize its IT environment. This was an ambitious undertaking considering the unique economic environment, the firm’s multinational reach, and the heavily regulated nature of the pharmaceutical industry.
Sanofi had to ensure that it could keep its backoffice and industrial business processes secure throughout the migration process. A focus of the effort was to update its access management capabilities, explains Roberto Diaz Coma, Center of Excellence, User Access Management Lead, Sanofi.
“As part of our move to SAP S/4HANA, we had to consolidate and optimize our security, especially access management in the new environment to allow users the right access to do their jobs while also managing the risks,” Diaz says.
“We used SAP because our IT landscape has many SAP solutions already, so it was natural for us to move to SAP S/4HANA and SAP Access Control was part of this solution,” he adds.
SAP Fiori Deployment Increased Number of Roles
Diaz explains that Sanofi also deployed SAP Fiori to improve user experience, which increased by thousands the number of SAP roles. With help from Accenture, KPMG, and Infosys, Sanofi implemented an improved role design concept using business roles that combined transactional elements with SAP Fiori user roles in order to put technical roles into business terms that everyone could understand. This enabled the company to incorporate new authorization concepts for the SAP Fiori user experience.
“SAP S/4HANA required a close review of new business roles and authorizations. So you can’t just replicate security from the former system. SAP Fiori and SAP S/4HANA create new ways to access data, and the segregation of duties (SoD) matrix needed to reflect these changes,” Diaz relates.
“We are creating a global system for the organization, increasing user access management activity. We required a system that can ensure stability to handle it,” he says.
In addition, Sanofi needed to have stringent electronic approvals, provisioning, and secondary approval requirements specific to the pharmaceuticals industry, and SAP Access Control’s workflow engine and audit trails supported these requirements, Diaz says.
Sanofi needed to enable user access self-service and leverage the scalability of SAP Access Control to handle the influx of user access requests and approvals as well as the creation and management of roles.
The company also had to manage periodic certifications and requests for temporary access to critical parts of its application and data. According to Diaz, automation of the process helped ensure efficiency and effective risk management.
Sanofi uses SAP Access Control modules, including access risk analysis, business role management, access request management, and emergency access management.
“We had the internal knowledge and experience with SAP GRC solutions previously, and we built on that investment and skill set. We had experience with previous versions of SAP Access Control, including native integration and rulesets for SAP,” Diaz says.
Sanofi’s Digital Transformation Roadmap
Sanofi has developed a roadmap for digital transformation that includes a move to the cloud. Diaz says he is looking into extending access controls to third-party cloud solutions and how SAP Cloud Identity Access Governance can help with this effort.
As a result of the user access management update, user satisfaction has increased, particularly related to SAP Fiori applications. In addition, Sanofi has simplified its business role catalog.
Sanofi also reduced security incidents by 50% by consolidating legacy systems and helped ensure compliance with Sarbanes-Oxley and other regulations.
Diaz shares some key takeaways from the user access management update. First, start with clean roles during the design phase of the project. This leads to smoother rollout, lower costs, reduced risks, and fewer audit issues.
It is also essential to update the SoD matrix to align with the changes introduced by SAP S/4HANA and SAP Fiori, which bring new considerations in the number of systems and roles to be managed.
“Streamlined business role management is key to handle these changes by grouping roles from multiple platforms in a single business role. It is also key to improve user experience with user access management because we are simplifying the business role catalog,” he says.
Sanofi held several meetings with the SAP Center of Excellence during the blueprint phase of the project, and they provided “very valuable advice based on solutions and prior experience with other customers,” Diaz says.
Sanofi’s user access management update leveraging SAP Access Control helped reduce costs, streamline business roles, improve user experience, boost security, and ease the migration to SAP S/4HANA and SAP Fiori.
What Does This Mean for SAPinsiders
- When updating your user access management system, make sure that you begin with clean roles during the project’s design phase. This leads to smoother rollout, lower costs, reduced risks, and fewer audit issues.
- If you are migrating to SAP S/4HANA, ensure that you update your SoD matrix to align with the changes introduced by the migration, which often brings new considerations in the number of systems and roles to be managed.
- Include SAP and other advisors early in the SAP S/4HANA process to ensure that you consider the impact of SAP S/4HANA migration on user access management and other security areas.
- Headquarters: Paris, France
- Industry: Pharmaceuticals
- Employees: 100,410
- Revenue: 43.5 billion US dollars
- Company details: Sanofi engages in the research and development, manufacturing, and marketing of pharmaceuticals in the prescription and over-the-counter markets. Sanofi is one of the top 10 pharmaceutical companies globally.
- SAP Solutions: SAP S4/HANA, SAP Fiori, SAP Access Control, SAP ABAP, SAP NetWeaver
Watch a short video interview with Roberto Diaz Coma.