I attended an interesting session at the BCS SAM networking group last night.
The main topic of conversation was SAP, led by Snow’s subject matter expert Telma Rafael.
Notable discussion points:
SAP is rumoured to be changing their audit approach on how to classify users: “It is believed customers will need to classify users based on their authorizations rather than usage, typically users have a lot more permissions than they need” said Telma.
So my understanding of this is that you might have demoted a user to save money, but because that user has potential access rights you’ll get clobbered accordingly. I guess this is similar to having Microsoft SQL Enterprise sat on a server doing nothing; you don’t pay for usage, you pay for it’s existence and potential to be used. We’ll look at digging into this in more detail over the coming months.
SAP R/3 support is due to end in 2025 – so many organizations with perfectly stable SAP implementations are being persuaded to migrate to S/4 HANA when a) they don’t need or want to go to cloud and b) some argue S/4 HANA is not yet fit for purpose compared to the on-premise alternative. Why might a customer go through the considerable investment in rebuilding SAP when they could go with a cheaper, more nimble, less aggressive alternative? Telma claimed S/4 HANA adoption was around 25%, so clearly a big battle and crunch time for SAP’s future over the next seven years.
I also heard during the SAP discussions that Diageo’s appeal against SAP for indirect access has been upheld. Citing a lack of specialist knowledge by the Judge presiding over the SAP litigation. I’m yet to find any court papers to verify this rumour, if any readers find anything please share.
We also heard that SAP was known to initiate indirect access claims and audit threats when losing a RFP to Salesforce.com or other CRM platforms. If validated, clearly things are getting a little desperate for the ERP dinosaur.
The second half of the BCS networking event was dedicated to an open discussion on the role ITAM plays in supporting GDPR. For me, GDPR is a data protection or InfoSecurity responsibility. As with a cybersecurity outbreak, ITAM’s role is supportive. Security are our friends, our allies, our stakeholders, we want to support them by identifying GDPR risk.