Schedule Demo

At the SAPinsider 2020 virtual conference experience, one of our product demo attendees asked how Pathlock works with SAP GRC Access Control. We get this question a lot as SAP security and system professionals explore adding attribute-based access controls (ABAC) to the native SAP role-based access controls (RBAC) to streamline and strengthen access policy management and enforcement. Sometimes there is confusion about whether ABAC is enhancing or replacing their RBAC. Let’s take a quick look at how Pathlock’s ABAC works with and enhances SAP GRC Access Control.

What is SAP GRC Access Control

Organizations use SAP Governance, Risk, and Compliance (SAP GRC) to manage regulations and compliance and remove any risk in managing critical operations. One of the SAP GRC modules that helps organizations meet data security and authorization standards is SAP GRC Access Control. This module ensures that the right access is given to the right people with RBAC. It uses templates and workflow-driven access requests and approvals to streamline the process of managing and validating user access and provisioning. Without SAP GRC, for comparison, a person is creating all the roles from scratch and assigning privileges to them.

Pathlock Enhances SAP GRC with Attribute-Based Access Controls

Pathlock combines the SAP GRC role-based access controls with an attribute-based access control solution that delivers an ABAC + RBAC hybrid approach. This enhanced approach enables granular control and visibility that delivers a wide range of business benefits and lets you deploy data-centric security policies that leverage the context of access to reduce risk.

Pathlock overcomes the limitations of traditional RBAC, allowing you to fully align SAP security policies with the objectives of your business and streamline audits and compliance.

SAP GRC Access Control

As you can see in this illustration, ABAC begins the moment users start to access data and transactions. Where RBAC assigns access based specific roles, ABAC considers the context of access (who, what, where, when, and how) before allowing access to transactions or data. Customers can set up additional rules that allow conditional access, for example, masking specific data fields or limiting the number of transactions after a particular time of day) or entirely denying access based on factors such as an unknown IP address.

Real-Time Analytics for SAP Security & Risk Management

With Appsian360, our real-time analytics and reporting tool, Pathlock can enhance the SAP GRC reporting capabilities with direct, real-time visibility into transaction usage, violations, and compliance risk. Additionally, customers can:

  1. Monitor transaction usage, master data changes, and SoD violations
  2. View actual SoD violations with user, data, and transaction correlation
  3. Segment reports by user/data attributes
  4. Drill down into end-user usage events

Appsian360 provides analytical reports to drill down into end-user usage events to capture business risks and anomalies, and usage events that tie back to compliance risks.

The ABAC + RBAC Hybrid Approach to SAP GRC Access Control

By combining data-centric security capabilities with attribute-based policies, Pathlock extends and enhances the existing SAP GRC internal access controls and improves the reporting and auditing capabilities.

Contact us today and schedule a demo to see how Pathlock can help you enforce access controls beyond the standard RBAC model of SAP.

Table of contents