Leveraging RPA and Web Services to Automate SAP Governance with SAP Access Control

By Brianna Shipley, Senior Editor, SAPinsider

Jabil, a large electronic manufacturing organization with some diversified interests, was founded in Michigan in 1966. Today they have one hundred sites all over the world with over 200,000 employees. Due to acquisitions and a growth in their business over the last five years, Jabil’s SAP landscape has evolved from a single SAP instance to a complex SAP production system that includes three ECC instances (one for their core business, one for their Nypro division, and one for their healthcare division) and an SAP S/4HANA instance (for the packing division) with a grand total of over 33,600 users across all SAP instances. Between Jabil’s SAP BW/4HANA instance, GTS/GRC server, and solution manager system, there are approximately 12,200 users.

As a result of growth in the environment and the overall business, Jabil found themselves challenged to keep up with changing organizational elements, including an increase in the volume of access requests and exceptions. This challenge served as a driver for their decision to move to robotic process automation (RPA) and web services to automate SAP governance with SAP Access Control.

Increase in Access Requests Drives Need for Automation

Jabil’s GRC architecture follows a 3-tiered landscape with a sandbox usage and is connected to both productions and non-production systems. The GRC architecture is used for provisioning access to sandbox, development, and staging systems across multiple SAP clients and has over 70 connectors.

The organization’s SAP Access Control landscape utilizes a single global segregation of duties (SOD) ruleset across all production systems. Risk analysis is performed against the production systems at the time of the access request (when an access request is created, the risk analysis automatically performs and routes by workflow to the proper channels). The user access for all production and non-production systems is performed using the SAP Access Control access requests.

Jabil is not currently using SAP NetWeaver Business Rules Management for role maintenance, but they are considering it, says Susan Zortea, Global Governance Lead at Jabil, who will present Jabil’s full case study at SAPinsider’s virtual event on May 5, including sessions covering cloud, data management, security, finance, and SAP S/4HANA, in addition to GRC. She says that Jabil is using business roles for one of their SAP instances and are evaluating for further development, “but right now business roles are being used in a limited capacity.” User access review is not being used in GRC, but Jabil is leveraging the same process for SAP and other non-SAP applications in an outside system. “Since we are considering upgrading at some point in time we will review this and consider using user access review in GRC,” Zortea says.  Lastly, firefighter functionality is configured and used for the production system.

To determine the feasibility of utilizing RPA around their SAP governance processes, Jabil decided to create a proof of concept (POC) around a process of low complexity, that was repeatable, and that was experiencing the most amount of pain. Jabil’s provisioning process, which includes managers and role approvers—two points where access requests occur before they hit governance if there is an SOD violation—proved to be a good place to start.

During the provisioning process an employee enters an access request into SAP Access Control for a manager to either approve or reject. The request then moves on to the role owner, who approves or rejects it, and then it moves on to complete, where access is assigned if there is no governance needed.

For Jabil, the bottleneck occurred when there was either a manager or role owner who was missing or incorrect. In either of these scenarios the ticket would fall into an escape path, then into the governance cube, resulting in the need for manual resolution. This manual process required each team member to have to research the active directory for the correct information, enter the correct information into the GRC system, then re-route the ticket.

Considering Jabil’s dynamic nature and the fact that people managers and role owners change on a regular basis, this manual process was becoming too time consuming to handle the increasing number of requests. Jabil’s POC helped them determine the value of RPA offered in helping to streamline the process.

Future State Using the Bot

Today Jabil’s GRC access request process is almost entirely automated, and the RPA solution can resolve escape path conditions automatically. In addition to this automatic resolution, Jabil has experienced the following benefits of RPA:

  • Higher quality: Human error has been reduced to a minimum and an audit trail has been completed and aligned with compliance.
  • Productivity increase: Processes move faster, and availability is every hour on the hour. Jabil has also been able to take the employees’ time that was spent on manually collecting the data for these escape path tickets and focus on value-adding activities.
  • Cost reduction: Jabil lowered their process costs and they’re easily scalable. They also experienced a rapid return on investment because it didn’t require much IT intervention to create a bot.
  • Ease of implementation: Initial results were possible within 30 working days and no significant IT support was required.

During the full case study presentation at SAPinsider’s virtual event, Zortea will go into detail about the POC paths Jabil explored before deciding which to move forward with, bot design considerations, important considerations for deploying RPA, and alternative solutions Jabil considered when creating a POC.

Web Services Further Enhance Capabilities in SAP Access Control

Zortea will also discuss how Jabil was able to leverage a standard GRC web service to interact with SAP Access Control.

Jabil continually manages large projects and acquisitions that require many users—numbering in the thousands—to be provisioned and granted access during a go-live period. Having these access requests created is essential in order to allow each user to get into the system via a formal compliance-accepted request; however, Jabil’s project teams were challenged to find the time to create such a huge volume of requests simultaneously and within the tight constraints of each project’s timeline. Jabil is now able to mass create GRC access requests using their web service, which allows for preventative SOD checks and the ability to maintain governance prior to go-lives.

In her presentation, Zortea explains how Jabil’s web service interacts with SAP Access Control using a specific XML format generated using a macro in an Excel document. She will also review additional access control automation opportunities, Jabil’s automation process, and important lessons learned.