Navigating Security and GRC Optimization during an SAP S/4HANA Conversion

Staying ahead of the curve is critical for any business to succeed, but particularly in the oil and gas industry, where rapidly changing market factors can quickly alter an organization’s course. As this company launched an organization-wide business transformation, its leadership team determined the time was right to upgrade their SAP platform, an evolution that would streamline business processes and improve data visibility to enable better business decisions.

The client was looking for a partner to support the security and controls aspects of replacing its highly customized SAP R/3 environment, designed and implemented for an integrated oil company, with a new SAP environment, now designed specifically for this midstream business.  ​

A comprehensive approach to security and controls

Following our initial consultations with the client’s leadership team, it was determined we would support four key areas to provide the appropriate level of focus on security and controls:

• S/4HANA and Fiori security design​
• SuccessFactors, Ariba and Business Warehouse security design​
• GRC Access Control implementation​
• S/4HANA Automated Controls assessment

S/4HANA and Fiori security design

The S/4HANA and Fiori security design included designing end-user production access roles for all business processes in scope for the organization-wide transformation project. The objectives of the S/4HANA and Fiori Security Design included:​

• Designing and implementing new end-user security roles in S/4HANA and Fiori to support production security access at go-live as well as future access needs​
• Enabling a least privilege access approach, reducing excessive access and restricting sensitive access​
• Minimizing Segregation of Duties (SOD) conflicts ​
• Streamlining the alignment of roles to the organization

To accomplish these objectives, we analyzed transaction code and Fiori app requirements provided by functional teams, extracted legacy ECC usage data as an additional reference and created a preliminary task role design based on best practice templates. We conducted design workshops with all business process teams to review, including data restrictions and business role requirements.

SuccessFactors, Ariba and Business Warehouse security design

The objectives of this security design included:

• Designing and implementing new end-user security roles and groups in SuccessFactors and Ariba to support production security access at go-live and future access needs
• Designing and replicating task-based Business Warehouse roles for in-scope transactions and reports and incorporating those into the appropriate business roles
• Enabling a least privilege access approach, reducing excessive access and restricting sensitive access

For SuccessFactors, we designed and configured role-based permissions according to the security requirements for Employee Central and onboarding functionality and created source and target groups to control access to specific data and populations. For Ariba, the business roles and groups were designed and built to meet security requirements and to reflect feedback from design workshops. User-to-group and user-to-business role mapping was also a step in this process. For Business Warehouse, we replicated and adjusted existing end-user production roles in the upgraded environment, performed technical upgrade steps and incorporated changes into the replicated roles and dynamic data restrictions into those roles.

GRC Access Control implementation

The GRC Access Control implementation consisted of configuring, testing, and implementing GRC Access Control 12.0 as an embedded component on the S/4HANA stack. This included:

• Designing and implementing Access Risk Analysis, Emergency Access Management (Firefighter), Access Request Management and User Access Review functionality
• Designing a customized, leading-practice SOD ruleset which included custom transactions, Fiori apps and new S/4 transactions with signoffs from business owners
• Configuring business roles through business role management to simplify the user provisioning process
• Building HR trigger integration through SuccessFactors to automate birthright provisioning and user terminations
• Building a custom program to populate personnel numbers in user master records to enhance the time entry user experience

S/4HANA automated controls assessment

The S/4HANA automated controls assessment included discovery and planning, focused on creating a preliminary list of leading practices and high-criticality S/4HANA controls. This was followed by several rounds of configuration validation in SAP and Ariba to ensure the internal controls were effectively implemented through the implementation lifecycle.  

Throughout each transformation phase, we performed benchmarking of system configurations against best practices to maximize automated controls implementation.  

Lessons learned throughout the transformation

Throughout each engagement, we regularly meet with the client to determine the key lessons learned. For this client, our learnings focused on ensuring compliance issues were addressed and a sustainable controls environment was established, including some of the following considerations:  

• Incorporate the security workstream early in the project so it is considered in functional design decisions
• Stress the importance of stakeholder involvement and engagement in design discussions
• Minimize the acceptance of design changes past the design phase to prevent re-work that may cause delays in later phases
• Consider all integration points and dependencies when designing the user access provisioning process
• Ensure contractual requirements for the system integrator to include your control requirements in the configuration and allocate time in the project plan to make the changes