Navigating Security and GRC Optimisation during an SAP S/4HANA Conversion

Client Snapshot

Profile

This midstream service provider helps deliver essential energy and inputs and is focused on ensuring the reliability and performance of its systems, creating sustainable cost efficiencies, enhancing its safety culture and protecting the environment.

 

Situation

This client was embarking on an SAP upgrade to enhance business processes and improve data visibility. This involved replacing a highly customised SAP R/3 environment with a new SAP S/4HANA environment designed specifically for a midstream business.

 

Work Performed

Protiviti had four areas of focus within the SAP transformation project: redesigning roles in SAP S/4HANA and Fiori, implementing security for Success Factors, Ariba, and Business Warehouse, implementing GRC Access Control, and conducting an S/4HANA Automated Controls assessment.

 

Outcome/Benefits

The client now has aligned SAP production security roles to a leading practice design, reducing Segregation of Duties (SoD) conflicts by 99% at the single role level. An enhanced SoD ruleset and implemented automated user provisioning process with preventive SoD checks built-in is also now in place.

 

Staying ahead of the curve is critical for any business to succeed, but particularly in the oil and gas industry, where rapidly changing market factors can quickly alter an organisation’s course. As this company launched an organisation-wide business transformation, its leadership team determined the time was right to upgrade their SAP platform, an evolution that would streamline business processes and improve data visibility to enable better business decisions.

The client was looking for a partner to support the security and controls aspects of replacing its highly customised SAP R/3 environment, designed and implemented for an integrated oil company, with a new SAP environment, now designed specifically for this midstream business.  ​

A comprehensive approach to security and controls

Following our initial consultations with the client’s leadership team, it was determined we would support four key areas to provide the appropriate level of focus on security and controls:

  • S/4HANA and Fiori security design​
  • SuccessFactors, Ariba and Business Warehouse security design​
  • GRC Access Control implementation​
  • S/4HANA Automated Controls assessment

S/4HANA and Fiori security design

The S/4HANA and Fiori security design included designing end-user production access roles for all business processes in scope for the organisation-wide transformation project. The objectives of the S/4HANA and Fiori Security Design included:​

  • Designing and implementing new end-user security roles in S/4HANA and Fiori to support production security access at go-live as well as future access needs​
  • Enabling a least privilege access approach, reducing excessive access and restricting sensitive access​
  • Minimising Segregation of Duties (SOD) conflicts ​
  • Streamlining the alignment of roles to the organisation

To accomplish these objectives, we analysed transaction code and Fiori app requirements provided by functional teams, extracted legacy ECC usage data as an additional reference and created a preliminary task role design based on best practice templates. We conducted design workshops with all business process teams to review, including data restrictions and business role requirements.

SuccessFactors, Ariba and Business Warehouse security design

The objectives of this security design included:

  • Designing and implementing new end-user security roles and groups in SuccessFactors and Ariba to support production security access at go-live and future access needs
  • Designing and replicating task-based Business Warehouse roles for in-scope transactions and reports and incorporating those into the appropriate business roles
  • Enabling a least privilege access approach, reducing excessive access and restricting sensitive access

For SuccessFactors, we designed and configured role-based permissions according to the security requirements for Employee Central and onboarding functionality and created source and target groups to control access to specific data and populations. For Ariba, the business roles and groups were designed and built to meet security requirements and to reflect feedback from design workshops. User-to-group and user-to-business role mapping was also a step in this process. For Business Warehouse, we replicated and adjusted existing end-user production roles in the upgraded environment, performed technical upgrade steps and incorporated changes into the replicated roles and dynamic data restrictions into those roles.

GRC Access Control implementation

The GRC Access Control implementation consisted of configuring, testing, and implementing GRC Access Control 12.0 as an embedded component on the S/4HANA stack. This included:

  • Designing and implementing Access Risk Analysis, Emergency Access Management (Firefighter), Access Request Management and User Access Review functionality
  • Designing a customised, leading-practice SOD ruleset which included custom transactions, Fiori apps and new S/4 transactions with signoffs from business owners
  • Configuring business roles through business role management to simplify the user provisioning process
  • Building HR trigger integration through SuccessFactors to automate birthright provisioning and user terminations
  • Building a custom program to populate personnel numbers in user master records to enhance the time entry user experience
The client needed to replace its highly customised SAP R/3 environment with a new SAP environment, designed specifically for this midstream business.

S/4HANA automated controls assessment

The S/4HANA automated controls assessment included discovery and planning, focused on creating a preliminary list of leading practices and high-criticality S/4HANA controls. This was followed by several rounds of configuration validation in SAP and Ariba to ensure the internal controls were effectively implemented through the implementation lifecycle.  

Throughout each transformation phase, we performed benchmarking of system configurations against best practices to maximise automated controls implementation.  

Lessons learned throughout the transformation

Throughout each engagement, we regularly meet with the client to determine the key lessons learned. For this client, our learnings focused on ensuring compliance issues were addressed and a sustainable controls environment was established, including some of the following considerations:  

  • Incorporate the security workstream early in the project so it is considered in functional design decisions
  • Stress the importance of stakeholder involvement and engagement in design discussions
  • Minimise the acceptance of design changes past the design phase to prevent re-work that may cause delays in later phases
  • Consider all integration points and dependencies when designing the user access provisioning process
  • Ensure contractual requirements for the system integrator to include your control requirements in the configuration and allocate time in the project plan to make the changes
Loading...