Hello and welcome to my blog illustrating the latest and greatest highlights for Governance, Risk and Compliance (GRC) with SAP S/4HANA Cloud 2005. In this release, we deliver enhancements for the automated provisioning via SAP Cloud Identity Access Governance (3AB), a brand new scope item regarding privacy risk detection with SAP privacy governance (‏3KX‏), as well as new document types for the integration with SAP Global Trade Services.

Watch my video to get a quick overview of our SAP S/4HANA Cloud 2005 highlights for GRC:

In this blog, I will illustrate the following topics:

Access Governance

• Quick Intro - SAP Cloud Identity Access Governance
• SAP S/4HANA 2005: Automated Provisioning via SAP Cloud Identity Access Governance (3AB)

Privacy Governance

• Quick Intro - SAP Privacy Governance
• SAP S/4HANA 2005: Privacy Risk Detection with SAP Privacy Governance (3KX)

International Trade

• Quick Intro - International Trade (part of SAP S/4HANA Cloud)
• SAP S/4HANA Cloud 2005: GTS Integration - Additional Document Types for Initial Transfer of Document...

 

Access Governance

Quick Intro - SAP Cloud Identity Access Governance

As this is the first blog about GRC for SAP S/4HANA Cloud, let me start off with a short intro of the product offering. If you like to jump directly to the corresponding 2005 highlight, you can click here.
SAP Cloud Identity Access Governance is a cloud-based access governance solution consisting of different services:

• Access Analysis Service
  Reduces risks associated with segregation of duties (SoD) conflicts and sensitive access for on-premise and cloud solution and provides configurable and predefined access policies and rules.
• Role Design Service
  Helps to optimize role definition and streamline governance. In addition, it assures business role compliance with organizational policies.
• Access Request Service
  Features an integrated and compliant user-provisioning process and shows auditable access-request workflows.
• Access Certification Service
  The access certification service is a cloud solution for reviewing and certifying access for on-premise and cloud source applications and provides integrated processes for designing and managing certification campaigns. It reduces complexity in processing periodic certifications by allowing automated periodic access reviews.

 

More Information

• SAP Help Portal: SAP Cloud Identity Access Governance
• Administration Guide for SAP Cloud Identity Access Governance
• SAP's corporate website: SAP Cloud Identity Access Governance

 

Automatic Provisioning with SAP Cloud Identity Access Governance (3AB)

The first highlight regarding GRC in SAP S/4HANA 2005 is the automated user provisioning with SAP Cloud Identity Access Governance.The corresponding scope item is called 3AB and integrates SAP S/4HANA Cloud, SAP SuccessFactors, and SAP Cloud Identity Access Governance. It allows you to automate provisioning in SAP S/4HANA Cloud based on employee events in SAP SuccessFactors. Thanks to this, you can seamlessly manage and instantly update user permissions with embedded compliance for the entire employee life cycle - from hire to retire - across the enterprise landscape. This also includes immediate removal of access in case of termination.

Fig. 1: The integration of SAP SuccessFactors, SAP S/4HANA, and SAP Cloud Identity Access Governance allows you to automatically provision user roles based on employee events in SAP SuccessFactors

In SAP SuccessFactors, you can maintain the employment information. In SAP Cloud Identity Access Governance, you can maintain rules for role assignment determination, approve role assignments and mitigate risks as needed. From SAP Cloud Identity Access Governance, the roles are then automatically provisioned for the respective business users to SAP S/4HANA Cloud.

Fig. 2: With SAP Cloud Identity Access Governance, you can automatically create access requests and approve role assignments before provisioning them to SAP S/4HANA Cloud

With 2005, the existing scope item 'Automated Provisioning via SAP Cloud Identity Access Governance' (‏3AB‏) has been enhanced to allow for access requests on behalf of others. Typical situations for this are e.g. an IT help desk employee that creates access requests for other employees in case of IT issues or managers knowing that their employees will need specific business roles for their daily work. As a manager, role owner, or security approver, you use the 'Create Access Request for Others' app to create requests or extend existing assignments for other users. The app allows you to identify the access that you need. You can search by the name of the user, by application, or by business process.

Please note that in order to make use of automatic provisioning with SAP Cloud Identity Access Governance, you will have to purchase additional licenses.

 

More Information

• SAP Best Practice Explorer: Automated Provisioning with SAP Cloud Identity Access Governance (3AB)

 

Privacy Governance

Quick Intro - SAP Privacy Governance

Similar to SAP Cloud Identity Access Governance, I would like to take the opportunity to provide a very quick overview about what you can do with SAP Privacy Governance. If you like to jump directly to the corresponding S/4HANA Cloud 2005 highlight, you can click here.

SAP Privacy Governance supports compliance specialists in complying with data privacy regulations, such as GDPR in the EU and the California Consumer Privacy Act (CCPA), and is available as software-as-a-service.

It offers various features:

• Register regulatory requirements:
  Create a complete and well-organized register of the regulatory requirements that are
  applicable to your organization at, global, regional, country or site level, as the basis
  for building your organization's regulatory compliance framework.
• Create Records of Processing Activities
  Document your data processing activities by creating records of processing activities
• Create Data Protection Impact Assessments
  Document your data processing activities by creating data protection impact assessments. Review activities within your organisation in order to understand and then reduce any data protection risks involved.
• Highlight potential risks
  Highlight potential risks arising from your data processing activities
• Document risks and risk assessments
  Document risks to your organization and maintain records of ongoing risk assessments
• Monitoring
  Monitor data processing to demonstrate compliance and access all records
  within your organization
• Policy management
  Publish, track and view company policies

 

More Information

• SAP Privacy Governance on SAP Help Portal
• Administration Guide for SAP Privacy Governance

 

Privacy Risk Detection with SAP Privacy Governance (3KX)

My second highlight regarding GRC in SAP S/4HANA Cloud 2005 is the detection of privacy risks with SAP Privacy Governance. The corresponding scope item is called 3KX and is brand new. As you are well aware, the use of personal information is strictly regulated by various data privacy regulations (e.g. GDPR in the EU). Consequently, companies face privacy risks when collecting and processing personal information. By integrating SAP S/4HANA Cloud with SAP Privacy Governance, compliance specialists can now automatically detect data privacy anomalies in their connected SAP S/4HANA Cloud systems.

As this is closely linked to Information Lifecycle Management, as a prerequisite ILM needs to be activated and retention rules have to be maintained for the relevant ILM objects. With the 2005 release, we support sales orders and HR data. The relevant scope item for ILM is 1KA. For example, if you want to detect privacy risks regarding sales orders, you need to assign the respective ILM object SD_VBAK to an appropriate audit area. In addition, an ILM policy needs to be in place and you need to maintain retention rules for the respective combinations of audit areas and ILM objects.

With SAP S/4HANA Cloud 2005, we support three scenarios:

• Correct setup of retention rules for respective ILM objects. With 2005, this includes sales orders and HR data.
• Automatic detection of sales orders which have not been destroyed correctly based on retention rules
• Automatic detection of HR data which has not been destroyed correctly based on retention rules.

Fig. 3: By integrating SAP S/4HANA Cloud with SAP Privacy Governance, you can detect privacy risks in connected SAP S/4HANA Cloud systems

Please note that this scope item is excluded from default activation. In order to make use of privacy risk detection with SAP Privacy Governance, you will have to purchase additional licenses.

More Information

• SAP Best Practice Explorer: Privacy Risk Detection with SAP Privacy Governance

International Trade

Quick Intro - International Trade

Similar to the previous topics, I will shortly outline what you can do with International Trade in SAP S/4HANA Cloud. If you like to jump directly to the corresponding SAP S/4HANA Cloud 2005 highlight, you can click here.

International Trade supports the following areas:

• International Trade Classification
  • Classification of products with control classes and control groupings for legal control
  • Loading of classification data from external data providers (commodity codes, customs tariff numbers and control classes)
  • Classification of products with commodity codes, Intrastat service codes and Customs Tariff Numbers
• International Trade Compliance
  • Control of statutory regulations for export
  • Managing of licenses in accordance with legal control for export (sales orders and deliveries) and import (purchase orders)
  • Managing and release of blocked legal control documents
  • Managing countries/regions under embargo situations
• Intrastat
  • Managing Intrastat declarations and their master data
• Integration with SAP Global Trade Services
  • Transfer of master and movement data from the S/4HANA Cloud to your SAP Global Trade Services
• Integration with SAP Watch List Screening
  • Integration allows to screen names and addresses for sales orders and outbound deliveries and purchase orders

 

More Information

• SAP Help Portal: International Trade in SAP S/4HANA Cloud

GTS Integration: Additional Document Types for Initial Transfer of Documents to SAP Global Trade Services

Thanks to the integration with SAP Global Trade Services (SAP GTS), you can transfer master data and transactional data from SAP S/4HANA Cloud to your SAP GTS system.

Key Features

• Integration with SAP Global Trade Services for Compliance Management
  You can use Compliance Management in your SAP GTS system. It contains import and export controls, as well as embargoes and sanctioned party list screening for business partners and contact persons.
• Integration with SAP Global Trade Services for Customs Management
  You can use Customs Management in your SAP GTS system. It contains the customs declaration before and after goods receipt during import and the customs declaration during export. By integrating with Customs Management, no customs procedures with economic impact are supported.
• Integration with SAP Global Trade Services for Preference Management
  You can use Preference Management in your SAP GTS system. This includes the management of supplier-based long term vendor declaration and customer-based long term vendor declarations, as well as the preference determination for fixed bills of products.
• Schedule Transfer of Master Data
  You can schedule the transfer of the master data for SAP Global Trade Services

With SAP S/4HANA Cloud 2005, you can schedule the transfer of additional document types to SAP GTS, namely inbound deliveries, outbound deliveries, and sales documents.

International Trade Administrators can make use of three additional apps for scheduling the transfer:

• Schedule Transfer of Sales Documents - Global Trade Services
• Schedule Transfer of Outbound Deliveries - Global Trade Services
• Schedule Transfer of Inbound Deliveries - Global Trade Services

This is especially relevant for scope item 24J called 'Compliance Management with SAP Global Trade Services' which allows you to transfer documents from SAP S/4HANA Cloud to Compliance Management in SAP Global Trade Services to ensure compliance with international trade regulations. Before the 2005 release, this was only possible for purchase orders. The beauty of this scope item is that you can leverage existing investments in SAP Global Trade Services 11 and utilize existing rules in your SAP GTS system.

Fig. 4: Scope item 'Compliance Management with SAP Global Trade Services' allows you to transfer  inbound deliveries, outbound deliveries, and sales documents to SAP GTS to ensure compliance with international trade regulations

In addition to scope item 24J, the transfer of additional document types is also relevant for two other GTS-related scope items:

• Preference Management with SAP Global Trade Services (3JX)
• Customs Management with SAP Global Trade Services (2U1)

Please note that all three scope item are excluded from default activation. In order to make use of the GTS integration, you will have to purchase additional licenses.

 

More Information

• Best Practice Explorer: Compliance Management with SAP Global Trade Services (24J)
• Best Practice Explorer: Preference Management with SAP Global Trade Services (3JX)
• Best Practice Explorer: Customs Management with SAP Global Trade Services (2U1)

For more information on SAP S/4HANA Cloud, check out the following links

• SAP S/4HANA Cloud release info: http://www.sap.com/s4-cloudrelease
• Sven Denecken’s SAP S/4HANA Cloud 2005 Release Blog
• Link Collection – Governance, Risk and Compliance (GRC) with SAP S/4HANA Cloud here
• Microlearnings for SAP S/4HANA Cloud here
• Inside SAP S/4HANA Podcast here
• Best practices for SAP S/4HANA Cloud here
• SAP S/4HANA Cloud Customer Community: register here
• Feature Scope Description here
• What’s New here
• Help Portal Product Page here
• Implementation Portal here

Follow us via @Sisn and #S4HANA, or myself via LinkedIn or @DeissnerKatrin