Orkla gets clear insights into their SAP user access and roles with Soterion

The challenge: Multiple separate systems

Orkla manages roughly 120 SAP ERP systems across their landscape. The reason they run a large number of systems is primarily because of historical mergers and acquisitions; they also have data located both on-premise, and in the cloud.

They encountered three main GRC (Governance, Risk and Compliance) challenges:

• Firstly, the emergency access used manual processes for user management and reporting, and incorporated complex review procedures. This was partly because of an IT culture where people felt they should be trusted without question; and also because of the need to keep the Production system running.
• Secondly, in terms of User Access Requests in their S/4HANA solution, the approvers did not have visibility on what they were approving. It was a cumbersome email process, and role assignments and user creations were done manually
• Thirdly, their many legacy SAP solutions had a high level of access risk. They required Access Risk Remediation to remove some superfluous roles, including Norwegian abbreviated roles. They needed to focus on roles with risks and get acceptance/remediation.

Soterion: One solution for multiple issues

Orkla was able to address their GRC challenges by implementing Soterion solutions, as follows:

• In terms of emergency access management, the solution included detailed logging of emergency activities, such as Transaction/Fiori usage, change logs and table changes. They could also get a workflow and audit trace of the activities for peace of mind.
• Soterion provided visibility to approvers and helped to create a sense of ownership to local business in terms of user access requests. To improve efficiency further, the automated solution allowed auto-provisioning of user access, and a daily notification to the team, including levels of access for additional checking
• To solve legacy solutions, the Orkla IT team leveraged Soterion to get insights into which user-to-role mappings existed, what access the users had, and how the access was used. This enabled tailoring access and consolidating single roles into composite roles, and mapping business role logic. The next step is to automate the access provisioning process in Soterion for these roles.

Transparency in access management and reduced risk

Orkla was able to address their challenges with Soterion by having detailed information available on emergency access management. This reduced the risk to the organisation. Moving forward, they are looking at improving the process even further. The different local businesses are now able to take ownership of the user access requests thanks to the business roles included on Orkla’s S/4HANA systems, visibility of well-defined roles and the access request data Soterion could provide.

Legacy systems can achieve unnecessary access permissions over time. To improve security and clarity, it’s recommended to organise user access around business functions. Orkla achieved this by streamlining existing roles and leveraging Soterion’s capabilities to consolidate roles based on user activities, minimizing potential security vulnerabilities.

About Orkla

Based in Norway, Orkla ASA is a leading industrial investment company. Their scope of activity is brands and consumer-oriented companies. At present, Orkla has 12 portfolio companies.

Orkla has a long-term, industrial approach to its portfolio companies. They invest in companies where they can contribute to further value creation through their industry expertise, consumer insight and experience in building leading brands. Orkla ASA is listed on the Oslo Stock Exchange.