International Nonprofit Strengthens SAP S/4HANA and Fiori Security with Pathlock's Application Access Governance Solution Client Snapshot Profile This public-private partnership helps vaccinate more than half the world’s children against some of the world’s deadliest diseases. Client Situation After implementing SAP in 2019, this client faced challenges with excessive access and managing user access across the organisation and wanted to improve its user access governance. Work Performed Protiviti helped design the following new processes and implement Pathlock Application Access Governance to support SoD management with custom ruleset, role management, compliant user provisioning with SoD checks, and user access recertifications. Outcome/Benefits The project brought important improvements by enhancing security and ensuring compliance in the client’s SAP S/4HANA system. Custom rules for managing access and clearer role management helped strengthen access control, reduce the chance of overlapping duties, and meet regulatory requirements. A relatively new organisation, founded in 2000, this European-based international nonprofit brings together public and private sectors with the shared goal of saving lives and protecting people’s health by increasing the equitable and sustainable use of vaccines. In 2019, the organisation implemented SAP, but several years later, faced challenges with managing user access across the organisation. The client’s Chief Information Officer wanted to improve security and ensure compliance with regulations within the SAP environment, with a focus on making access governance more efficient and ensuring the right people have the right access without overlapping duties that would pose risks. The client also wanted to simplify access management, reduce the complexity of its processes and ensure it could meet ongoing regulatory requirements. By refining its approach, the organisation aimed to increase efficiency, boost security, and maintain a strong compliance system.The client engaged Protiviti to implement a robust Segregation of Duty (SoD) framework for both its SAP S/4HANA solution and a standalone FIORI platform. To comply with IT standards and mitigate the risks associated with conflicting roles and authorizations, the client required a comprehensive tool for managing and enforcing SoD policies.Defining and enhancing the Pathlock rulesetWe recommended and deployed the Pathlock Application Access Governance (AAG), which can perform fine grain SoD checks on SAP environments. This implementation enhances role management, automates risk detection, and provides actionable insights to ensure regulatory compliance. By integrating Pathlock AAG, the client benefits from streamlined processes, improved operational security, and strengthened governance across the SAP landscape.After the project kick-off, we began by tailoring the ruleset to the client’s needs. This foundational phase involved working closely with Pathlock to ensure that the tool fully supported the client’s standalone FIORI environment. To address specific requirements, Pathlock delivered a customized hot fix, enabling accurate risk detection and management for FIORI roles. Concurrently, we engaged the client’s business process owners through a series of workshops to define applicable risk levels tailored to their operational and compliance needs. Once the ruleset was defined, it was uploaded and configured within the Pathlock solution.Processes and workflowsThe second phase of the project focused on defining processes and implementing workflows in Pathlock for role design, user management, and access recertification. We simplified and improved how roles and access are managed to ensure that users have the right level of access while meeting compliance requirements. This included setting up workflows, defining roles, and documenting the processes to ensure better governance and reduce potential risks. Additionally, the access review and recertification processes were automated while all documentation was prepared for audits.Automated request workflows were also configured for user access provisioning with automated SoD checks as well as de-provisioning and access reviews with approval from business owners. These processes were configured in Pathlock AAG to provide the client with an efficient, automated solution for managing access and enforcing governance policies. Setting up reportingIn the final phase, we defined and configured reports within Pathlock to support communication with the leadership team and demonstrate compliance to the auditors. These reports were tailored to provide clear insights into risk mitigation, user access, and SoD compliance. By aligning report formats with leadership and audit requirements, we ensured the client effectively highlighted key metrics and compliance achievements, enabling transparency, and supporting regulatory adherence.Tangible resultsThe project brought important improvements by boosting security and ensuring compliance in the client’s SAP S/4HANA system. Custom rules for managing access and clearer role management strengthened access control, reducing overlapping duties and mitigating high-risk SoD conflicts. These enhancements ensured compliance with regulatory requirements such as SOX and GDPR, verified through external audits. The implementation of an automated access management system improved efficiency, cutting manual effort by 70 percent, while reducing access request turnaround time from three days to six hours. Streamlined review processes enhanced audit readiness, cutting preparation time by 60 percent and decreasing audit findings related to access management. Better reporting tools significantly improved reporting speed, reducing the time to generate compliance reports from eight hours to 30 minutes. These advancements provided the client with clearer insights into user activities and compliance, supporting stronger risk management, ongoing monitoring, and the detection of policy violations 50 percent faster. We appreciate the dedication, expertise, and collaboration shown by Protiviti and Pathlock throughout the process of implementing SoD in our SAP environment. Head of Architecture 70%Reduction in manual effort with the introduction of an automated access management system 60%Reduction in audit preparation time through streamlined review processes 50%Faster detection of policy violations through stronger risk management and ongoing monitoring Topics IT Management, Applications and Transformation Risk Management and Regulatory Compliance We recommend these resources: Pro Document Consent Risk Transformation At Protiviti, we use technology, innovation, data, and analytics to transform the field of risk management. Risk transformation creates real business value, helping firms achieve operational excellence by improving the efficiency, quality and timeliness of risk decisions. Pro Document Files Security Programme and Strategy Protiviti’s cybersecurity strategy experts help organisations understand information security and privacy risks while providing creative solutions. Protiviti can assess your unique environment and provide a roadmap so you can make smart cybersecurity strategy investments to serve your customers and grow your business.