We present the details of the success story presented at both the annual AUSAPE 2024 event and the SAPinsider EMEA 2024. The presentation “Access Governance (security and roles) in Cloud and SAP®GRC systems at DAIKIN®” covered different topics related to the Access Area including both SAP® On Premise & Cloud systems.
Daikin is a Japanese air conditioning and aerothermal manufacturing company headquartered in Osaka. It has operations in Japan, China, Australia, India, Southeast Asia, Europe and North America. Organizationally it has more than 89,000 employees worldwide and specifically has more than 10,000 employees in Europe. The European unit has the IT part located in Belgium and Spain and supports more than 20 subsidiaries.
THE CHALLENGE
Daikin is organizing an overall concept of the IT department responsible for the authorization and access management part. This concept includes the governance of authorizations for two different types of SAP® systems: “SAP On Premise” & ‘SAP Cloud & Non SAP Systems’. In addition to this point would be the access control part by means of the SAP GRC Access Control system.
INPROSEC SOLUTION
The proposal on the one hand affected the Authorizations part by including a common concept that we will call “Authorization Concept” that would be independent of the technology behind the SAP or non-SAP system. This document would contain the functional structure of the authorizations/accesses of the system that is part of the Daikin system infrastructure that will not depend on the specific technology of this system.
On the other hand, and in relation to the GRC Area, the system was updated to the new version in order to solve known problems that had been previously identified. In addition, small changes were proposed that would increase the efficiency of the procurement processes.
Implementation
Authorizations
A document called “Authorization Concept” is designed. This document is structured in 4 different sections:
-
- Introduction about the solution: We will give visibility of what the tool does and what is the functional need of it for DAIKIN’s organization.
- Solution Access Model: Here we will detail which options the tool has for access restriction. This section is very different depending on the solution being implemented.
- Access Proposal for DAIKIN need: Here we will detail what is going to be used from the point of view of access in Daikin. There are objects that may not be necessary because functionally the access restriction we need does not need it.
- Positions (Roles) that will use the solution: We will detail all the positions that we will be using, the objective of each one of them, what they contain at access level, what restrictions exist and what conflicts may exist if we join several positions in the same user.
The following screenshot shows an example of the document:
SAP® GRC
It is important to understand that today Daikin’s SAP® GRC system supports very many different systems and therefore the proposed changes must be evaluated in great detail to avoid problems of continuity of access management processes. The image below gives visibility of the current complexity of this system:
One of the most important changes that were identified throughout the project came from the generation of a new non-production GRC environment that would allow us to make tests more stable and closer to what would appear in the GRC Production environment:
The change that had the greatest impact on the efficiency of the process within the GRC system was related to the simplification of the access provisioning process for those cases that do not generate segregation of duties risks. All the changes made during the project resulted in savings of 1.18 FTEs per year.
RESULTS
With the completion of this project, Daikin has a document that has a common structure regardless of the technology behind this system. This means a step forward in relation to Access Governance in SAP® and non-SAP® system.
relation to the efficiency of the access processes, the processes of periodic review of annual access and annual risk review have been improved, correcting errors. Last but not least, Daikin has a new testing system that will allow testing more aligned with what is available in the production environment, being able to replicate scenarios that previously could not be performed.