Use Case: Streamlining Access Governance in a Global Manufacturing Company

Company Profile:

• Industry: Manufacturing (Automotive Parts)
• Employees: 3,000+ across 4 countries
• Systems: SAP S/4HANA (Finance, Procurement, Production), SAP SuccessFactors (HR), Salesforce (CRM), Legacy Production Systems

Challenges:

• Segregation of Duties (SoD) Violations: Users in procurement could approve invoices and create vendors, posing fraud risks.
• Manual Access Requests: Delay in Access Provisioning
• Audit Failures: Non-compliance with SOX and GDPR due to inconsistent access reviews.
• Role Explosion: 500+ roles across systems, causing redundant access and complexity.

Implementation of SAP IAG: A Step-by-Step Breakdown:

1. Centralized Access Request Management

Problem: Employees request & Approver approve access via email, leading to delays and lack of audit trails.

Solution: SAP IAG Module Used: Access Request Management

Workflow:

• Employees submit requests via a self-service.
• Requests are auto routed to managers and data (role) owners for approval.
• Approved requests trigger automated provisioning in SAP S/4HANA, SuccessFactors out of box and Salesforce via SCIM APIs.

Result:

• Access provisioning time reduced from 7 days to 2 hours.
• 100% audit trail for all requests

2. Role Redesign with AI-Driven Role Mining

Problem: 500+ roles with overlapping access led to SoD conflicts.

Solution: SAP IAG Module Used – Role Management

Process:

• Role Mining: Analyzed 2 years of user access logs to identify patterns
• Role Rationalization: Reduced roles to 150 by grouping users with similar access needs (e.g., merging “Procurement Clerk” and “Inventory Viewer” into “Supply Chain Analyst”).
• SoD Rule Design: Custom rules blocked conflicting access (e.g., “Vendor Creation” and “Invoice Approval” in the same role)..

Result:

• SoD violations reduced by 70%.
• Role maintenance efforts are cut by 50%.

3. Real-Time Access Risk Analysis

Problem:  SoD violations were detected only during annual audits.

Solution: SAP IAG Module Used – Access Risk Analysis

Integration:

• Connected SAP IAG to SAP S/4HANA, SuccessFactors, Salesforce, and legacy systems via SAP Cloud Platform Integration (CPI).
• Configured real-time risk scoring using factors like user location, transaction frequency, and role changes.

Example Alert:

• A user in Brazil accessed “Payment Run” (T-code F110) and “Vendor Master” (T-code XK01) within 24 hours, triggering an auto-remediation workflow to revoke one access right.

Result:

• High-risk access incidents reduced by 65%.

4. Automated Access Certification Campaigns

Problem: Quarterly access reviews took 3 months and were error prone.

Solution: SAP IAG Module Used: Access Certification

Automation:

• Campaign Setup: Defined rules to prioritize high-risk users (e.g., finance, IT admins).
• AI-Driven Recommendations: SAP IAG flagged users with stale access or SoD risks for reviewers.
• Integration with Microsoft Teams: Reviewers approved/revoked access via Teams chatbots.

Result:

• Access review cycle shortened from 3 months to 2 weeks.
• Compliance with SOX and GDPR achieved.

5. Privileged Access Governance with CyberArk Integration

Problem: Shared admin accounts in SAP S/4HANA and legacy systems lacked oversight.

Solution: Integration- SAP IAG + CyberArk via REST APIs.

Workflow:

• Privileged users (e.g., SAP Basis admins) requested elevated access via SAP IAG.
• Approved requests triggered CyberArk to
• Rotate credentials.
• Record sessions.
• Enforce time-bound access.

Result:

• Zero credential theft incidents post-implementation.
• Privileged session recordings reduced audit findings by 90%.

Key Outcomes: