International Nonprofit Strengthens SAP S/4HANA and Fiori Security with Pathlock's Application Access Governance Solution

A relatively new organization, founded in 2000, this European-based international nonprofit brings together public and private sectors with the shared goal of saving lives and protecting people’s health by increasing the equitable and sustainable use of vaccines. In 2019, the organization implemented SAP, but several years later, faced challenges with managing user access across the organization. The client’s Chief Information Officer wanted to improve security and ensure compliance with regulations within the SAP environment, with a focus on making access governance more efficient and ensuring the right people have the right access without overlapping duties that would pose risks. The client also wanted to simplify access management, reduce the complexity of its processes and ensure it could meet ongoing regulatory requirements. By refining its approach, the organization aimed to increase efficiency, boost security, and maintain a strong compliance system.

The client engaged Protiviti to implement a robust Segregation of Duty (SoD) framework for both its SAP S/4HANA solution and a standalone FIORI platform. To comply with IT standards and mitigate the risks associated with conflicting roles and authorizations, the client required a comprehensive tool for managing and enforcing SoD policies.

Defining and enhancing the Pathlock ruleset

We recommended and deployed the Pathlock Application Access Governance (AAG), which can perform fine grain SoD checks on SAP environments. This implementation enhances role management, automates risk detection, and provides actionable insights to ensure regulatory compliance. By integrating Pathlock AAG, the client benefits from streamlined processes, improved operational security, and strengthened governance across the SAP landscape.

After the project kick-off, we began by tailoring the ruleset to the client’s needs. This foundational phase involved working closely with Pathlock to ensure that the tool fully supported the client’s standalone FIORI environment. To address specific requirements, Pathlock delivered a customized hot fix, enabling accurate risk detection and management for FIORI roles. Concurrently, we engaged the client’s business process owners through a series of workshops to define applicable risk levels tailored to their operational and compliance needs. Once the ruleset was defined, it was uploaded and configured within the Pathlock solution.

Processes and workflows

The second phase of the project focused on defining processes and implementing workflows in Pathlock for role design, user management, and access recertification. We simplified and improved how roles and access are managed to ensure that users have the right level of access while meeting compliance requirements. This included setting up workflows, defining roles, and documenting the processes to ensure better governance and reduce potential risks. Additionally, the access review and recertification processes were automated while all documentation was prepared for audits.

Automated request workflows were also configured for user access provisioning with automated SoD checks as well as de-provisioning and access reviews with approval from business owners. These processes were configured in Pathlock AAG to provide the client with an efficient, automated solution for managing access and enforcing governance policies.

Setting up reporting

In the final phase, we defined and configured reports within Pathlock to support communication with the leadership team and demonstrate compliance to the auditors. These reports were tailored to provide clear insights into risk mitigation, user access, and SoD compliance. By aligning report formats with leadership and audit requirements, we ensured the client effectively highlighted key metrics and compliance achievements, enabling transparency, and supporting regulatory adherence.

Tangible results

The project brought important improvements by boosting security and ensuring compliance in the client’s SAP S/4HANA system. Custom rules for managing access and clearer role management strengthened access control, reducing overlapping duties and mitigating high-risk SoD conflicts. These enhancements ensured compliance with regulatory requirements such as SOX and GDPR, verified through external audits. The implementation of an automated access management system improved efficiency, cutting manual effort by 70 percent, while reducing access request turnaround time from three days to six hours. Streamlined review processes enhanced audit readiness, cutting preparation time by 60 percent and decreasing audit findings related to access management. Better reporting tools significantly improved reporting speed, reducing the time to generate compliance reports from eight hours to 30 minutes. These advancements provided the client with clearer insights into user activities and compliance, supporting stronger risk management, ongoing monitoring, and the detection of policy violations 50 percent faster.