The first notable success case of our company was the creation of a master client (“Golden client”) for user provisioning with SAP GRC Access Control (5. 3) at Unilever.
For this reason, we would like to tell you about the process and the highlights of this case which was presented at the European SAP GRC event in Milan in 2012.
There were several Unilever cases at this event, but this was the only one from the SAP GRC Access Control application.
UNILEVER is one of the largest companies in the world, being one of the leading companies in consumer goods of Anglo-Dutch origin. In addition to belonging to the Fortune 500, it is in the Euro Stoxx 50 and the FTSE 100.
At the time (2011) Unilever did not have an identity management system for SAP. However, it had a large number of SAP systems without centralization and coordination in relation to user account names and allocation of user licenses (which determines the cost of the system to the company). When a user was created in a system, it was done by a different team, manually and with different naming convention and criteria. This meant that for the same person, the user data was different depending on the system.
Therefore, the company was paying more than necessary and also had a lack of control over those users who had accounts in different systems, but were not identified as the same user. This indirectly implies a greater risk with respect to access risk control, mainly in the Segregation of Duties (SoD).
A user could have an account in system A and an account in system B, but as they had different identifiers and names, they were considered to be two different users, therefore, possible access conflicts due to incompatible accesses in system A with those in system B would never be detected.
Inprosec has worked with Unilever since its origins, we can really say that Inprosec was born largely thanks to Unilever – as we have told in our 10th anniversary article. Since 2010 we have been working with Access Control, the SAP GRC tool for governance, risk and compliance management; where we started with the original VIRSA solution and at that time had already updated to the latest JAVA version (5. 3) before migrating to the ABAP-based version 10.0. Specifically, the solution was achieved by implementing a “Golden client” (central user data repository) integrated with the user provisioning application within SAP GRC Access Controls (from that called “CUP – Compliant User Provisioning” and today, from GRC 10 called “ARM – Access Request Management”).
At the time Unilever did not have an Identity Management solution that included SAP systems and in addition its implementation was a large project and another area of responsibility, however, the need from an Internal Control point was important; and therefore a solution was defined that allowed the own use of the GRC system user database as a central repository and, linked to the continuous use of the GRC AC tool (CUP/ARM) for the users provisioning, was making the cleaning of them.
By using default roles, a naming convention and key fields for users, each time a new user was registered, it was created in the central repository (Golden Client) and in all the systems that were initially necessary. From that moment on, that would be the user’s identity forever, and whenever accounts were created in other systems for the same user, he would be identified with the one that already existed in the “Golden Client” and in the other systems he would always be created with the same data in an aligned and robust way.
The use of the system and the defined process automatically achieved the cleaning of the system (although some revision and replacement of old accounts had to be done, but it was minor) – as we will see in a graph below.
In addition, another element that already existed, but was improved, was an important part of the solution: “Dormant Deletion program” – the program for deleting unused (or “dormant”) accounts. This process allowed the elimination of those old accounts (with old and unaligned nomenclature) that were no longer used when replaced by the new ones. The savings on licenses came from this part.
In the image we can see the architecture of the GRC system and its connection to the different systems (anonymously), with the identification of the “Golden Client”, as it was presented in Milan in 2012:
The implementation of this solution within SAP GRC and complemented with an ABAP cleaning program (“dormant deletion program”) helped us to achieve the following benefits:
Cleaning and maintenance of the system
The first and main benefit, from which most of the other benefits follow, is having a cleaner set of systems with a smaller number of accounts to manage, which reduces costs in different areas.
The initial volume of accounts in 13 different systems was almost 35,000 user accounts – 50% of them, about 16,500 in the ERP/master system – and the number of unique users could not be determined. After the solution, the total volume of accounts was less than 20,000 and the number of unique users was less than 14,000.
Greater control over access
After implementation, several improvements were obtained in the control of user accounts and corresponding accesses. Not only does the solution allow us to monitor and measure the different parameters now in a clear and precise way (before we could not even know the number of real users in the system or set of systems), but this fact allows us to be able to monitor access risks by segregation of functions that are “cross-system” (something that we will explain in a technical article in detail) or also called “cross-application risks”.
Reduced User Licensing Costs
The most tangible and quantifiable benefit was the reduction in licensing costs, since before the solution we estimated the number of “unique” users to be about 20,000. After the solution we were left with a real and accurate figure of about 14,000 different users for which we would start paying license fees. We estimate that with an average license cost per user of about 1,000 euros per year, this would mean about 6M euros of annual savings. Before, you could be paying for accounts that were really inactive and in several cases several times for accounts that really belonged to the same person (user).
Self-maintenance and self-management
Precisely through certain technical functionalities of SAP GRC could be automated and give robustness and sustainability and continuity to the solution, which we can see in a very clear example in the graph below. Where by means of auto-provisioning in the repository itself (“Golden Client”) the system improved and cleaned up automatically on its own.
In the following graph, we can see the final part of the reduction of unnecessary accounts and how the user identifiers were increasing in the “Golden Client”, matching the unique users: