The tight rope of productivity and Identity Access Management (IAM)

Aug 14, 2024

2 min read

During my time spent as an SAP functional consultant I did my due diligence to understand the business requirements proposed by our partners. I would then fulfill these business requirements by leveraging SAP's standard functionality by combining custom configuration or code to ensure the business could carry out their day to day tasks.

However the addition of new functionalities often means the modification and/or addition of user roles, privileges and access. This is where I first encountered the balancing act between identity access management (IAM) and business user productivity. SAP recommends the use of standard base roles with the defaulted privileges and accesses; but there are times as a functional consultant where I found myself in organizations with more SAP Roles than business users or vice-versa.

Therefore as a consultant, I had to know when and how to deviate from just the text book assignment of a user role. To be successful in this balancing act there are 2 layered and vast components that I needed: an understanding of Governance Risk and Compliance (GRC) definitions and business user role knowledge.

Let's begin with the GRC components. GRC is a comprehensive framework that organizations use to manage: policies, procedures, oversight, and accountability -- known as Governance; the assessment and mitigation of threats/vulnerabilities -- known as Risk Management; and the regulatory requirements as well as reporting and auditing of systems -- known as Compliance. But how does IAM fit into GRC. IAM ensures that only authorized individuals can access specific data sets and systems through the use of access policies and procedures. It is the enforcement of access policies and procedures that IAM mitigates the risks such as data breaches and zero day exploits. finally, IAM accomplishes compliance through the tracking and documentation of system access based on government and industry standards. In short IAM is one of many tools used to apply the GRC framework in organizations.

The following component needed to be successful in the balancing act is business user knowledge. In order for IT departments to access business user knowledge, their participation is needed. Both IT (security teams) and business users must engage with each other to understand the tasks required within each business role to ensure the proper alignment of organizational policies and job functions. This is known defining principal is known as "least privilege" within IAM, as IAM systems use role based access controls (RBAC) to manage and enforce user access by assigning permissions based on users' roles within an organization. Furthermore, the role of business user participation reduces the possibility of creating overlapping and conflicting business roles.

In short, the business user's knowledge drives and determines the security requirement of role management. Security teams can and should only make the proper modifications once the business defines what their needs are. Please note that business access requirements are not the same as system administrative access requirements; it is imperative that both IT and business teams understand and define this difference in their organization as both see fit.