Streamline SAP Business Policy Management.

Extend Role-Based Controls Using ABAC Policy Enforcement

Data Security
Enterprise Data Insight takes a data-centric approach to security and compliance. A data-centric security model allows you to align security policies to your business requirements and limit the exposure of sensitive data and transactions. We start at the foundation – your core SAP ERP data and transactions – and add attribute-based access controls and user activity logging and analytics, so you have better visibility into who is accessing and potentially changing your data.
Data Security

Real-time policy enforcement and user activity monitoring

One-off role derivations have created a “role-explosion” – adding complexity and overhead to role management. And enforcing access controls beyond a user’s role, down to a field-value level, requires unscalable customizations.

SAP ERP Central Component (SAP ECC) and S/4HANA leverage static roles to govern access. These roles have reached their limitations in a dynamic workplace because static roles do not leverage contextual attributes. In addition, static roles remain in-tact as users move around the organization and change their job scope. Unless constantly provisioned, static roles can quickly become outdated, leaving an organization exposed to potential risk.

Enterprise Data Insight enables organizations to align data governance and business policies. By extending existing static roles with attribute-based controls, access can be dynamically managed. In addition, access deemed risky (based solely on context) can be restricted.

Data Security

Data-Centric Security Policies

Enterprise Data Insight allows you to restrict access to sensitive data and transactions if the context is suspicious. For example, user attributes, data attributes, activity type, IP address, user location, time of day, amount of money transacted, the number of transactions, user activity trends, and segregation of duty.

Data Security

Extending SAP GRC Access Control Policies

For customers using SAP GRC, Enterprise Data Insight can extend existing access control policies, and enhance reporting capabilities. Enterprise Data Insight overlays GRC and leverages what you already deployed to protect your organization.

Data Security

Data Masking & Redaction

With Enterprise Data Insight, you can choose to mask (fully or partially), block, or redirect access to sensitive data fields across the application using a single policy. Click-to-View field masking prevents unnecessary exposure of sensitive data while still allowing users to view data with expressed intent. Reducing the exposure of PII and other sensitive data improves your regulatory compliance.

Data Security

Granular Access And Transaction Policies

Customers can reduce the amount of acceptable risk by using granular access controls to strengthen field and transaction-level security. You can block malicious activity in real-time and manage privileges by placing limitations on who can access an application, from where, when, how they can access it, and what they can do with it.

Data Security

Key Challenges to SAP Access Management

Static Role-Based Policy

Role-Based Access Controls (RBAC) group users into broad categories known as roles or permission lists. Limited to these static categories, RBAC cannot use dynamic information such as project ID, company code, IP address, location, device type, and more to authorize access. RBAC alone fails to provide the optimum level of security for highly sensitive transactions and data.

Role Explosion

Over time, SAP applications become crowded with potentially thousands of roles and permission lists – a phenomenon known as role explosion. Managing these lists and keeping them current requires continuous vigilance and can quickly become one of your most time-consuming jobs. It can also become a potential source of security breaches.

Custom Role Development Creates Friction

There are situations where custom development is required to add access control restrictions based on dynamic attributes such as IP address, location, nationality, business unit, and project affiliation. However, these customizations create user friction to accommodate slight differences between static and dynamic privileges.


How do I reconcile my business objectives with my data security and compliance mandates?

With Enterprise Data Insight Data Protection you can quickly and easily detect, identify and fix your exposure. The dynamic data masking process can be applied across all core and/or industry-specific modules.