Establishing Access Control
Across Your Entire Application
Ecosystem

Jeff Purrington

Jeff Purrington

Director of Product Management
Access Control

How to Govern Any Application With Saviynt

Information security and compliance teams face an ever-increasing list of challenges. The cyber threat landscape, both external and internal, is proliferating. In response, the regulatory scope to mitigate cyber risk is perpetually expanding, and the number and frequency of audits are increasing. Application and infrastructure ecosystems are becoming more complex. And finding the expertise to support these ecosystems is quickly becoming more expensive and harder to obtain. These challenges make it harder to stay compliant and require companies to quickly adapt.

One of the fundamental concepts that consistently permeates control frameworks and standards in response to some of these challenges is ensuring identity and access controls are well designed and operating effectively. There is a constant requirement to ensure least privilege and have holistic visibility into identity and access controls — particularly access to critical application activities, privileged access, and segregation of duties (SoD). 

It’s clear that organizations need more cost-effective solutions to control their mix of on-prem, SaaS, and custom or legacy applications across hybrid infrastructure environments. The good news? Saviynt can help. 

Securing Multiple Application Types Is a Complicated Business

In a large corporation, the number of applications that require robust identity and access controls can be substantial. Some of our customers use Saviynt to manage over 250 applications and perform SoD assessments on over 50 applications. Applications in scope for an organization’s routine audits can often number in the dozens. I often saw more than twenty applications in scope for SOX audits when I ran global IT audit organizations. 

Adding to the complexity of ensuring key financial ERP applications have appropriate access controls, an organization may have lesser known process-specific applications they support or they may have developed custom applications that ultimately end up in scope of their audits. Auditors still expect these applications to have appropriate access controls and SoD.

Many organizations rely on manual controls for a large portion of the key applications in scope for their audits. A standard method is to export reports from the application and send these to various managers for painstaking manual approvals via email. As anyone who has taken part in a SOX audit knows, manual controls break down; it only takes one mistake to earn a deficiency that will get reported to the audit committee. 

So how do companies put their arms around the challenging task of ensuring access controls for so many different applications when most software solutions only support the top ten ERP systems? How does an organization automate these controls when they developed many of their applications in-house? 

Using point solutions in today’s complex, hybrid environments is very costly. SAP GRC may be great at securing SAP, but it only works for SAP. Oracle GRC or risk management cloud are good at securing Oracle, but again, what about all of the other applications in scope for all your audits?

In Search of the Right Solution

With the advent of even more stringent access control objectives like Zero Trust, we expect this to become even more of a burden on internal auditors, application owners, CIOs/CISOs, and CFOs. Organizations are looking for new solutions to tackle identity and access controls, privileged access, segregation of duties, and license management – for all of their applications – in a single platform.

Some SoD and access solutions provide access governance for well-known applications, but these solutions cannot deliver an overall identity strategy, and often do not integrate well with existing identity solutions. Other solutions excel at identity management, but they are inadequate at fine-grained SoD and critical access capabilities. And they cannot manage preventive SoD controls all that well. They rely on ineffective coarse-grained controls.

Saviynt Enterprise Identity Cloud: An Integrated Platform

Deploying one holistic solution, such as Saviynt, to achieve access controls for all the applications across your enterprise will simplify access control, provide automation, and reduce costs. These costs include licensing fees, software expertise (labor costs), and the administrative overhead required to manage multiple point solutions. 

Saviynt Enterprise Identity Cloud (EIC) is built in the cloud, for the cloud. It is the only converged SaaS solution that provides Identity Governance and Administration (IGA), Application Access Governance (AAG), and Cloud Privileged Access Management (CPAM).

Securing Standard Applications

Securing access for standard applications presents several challenges. Unfortunately, most standard applications (Oracle EBS, SAP, etc.) come delivered with fewer secure roles and responsibilities than most auditors or information security professionals prefer. They don’t follow the principles of least privilege either. So it’s important to harden your applications when you implement them. You should also disable superuser accounts that came with the application and redesign roles that create inherent SoD risks.


Saviynt provides out-of-the-box rulesets for many common ERP applications down to the most fine-grained entitlements.

When evaluating roles in an application, you should also assess the most fine-grained elements of access associated with these roles. SoD and critical access tools should assess the mechanism a role requires to transact business activities in the application. Too many times, in my days as an auditor, I would see an innocuous-sounding role like “View-only Clerk” contain some of the more sensitive and critical access the application had to offer. Which is why coarse-grained SoD is not effective. 

Saviynt provides out-of-the-box rulesets (down to the most fine-grained entitlements) for several of the more common ERP applications to give customers a strong starting point.

Securing Custom Applications

Many organizations with nuanced business processes develop custom, in-house applications to accommodate their specific needs. For example, an oil and gas company might have trading applications that accommodate requirements to trade energy futures. An insurance company might have reinsurance, claim, or premium applications to accommodate industry-specific requirements. No matter the industry, there is still a basic audit requirement to ensure appropriate access and SoD controls. Unless these companies also develop tools to audit these applications, they will endure a lot of manual “heavy-lifting” to effectively test access controls across these applications.

Saviynt provides a flexible and scalable platform to test applications like these. If the data detailing roles and the underlying entitlements can be accessed to send to managers, it can be uploaded into Saviynt. For both custom and less well-known, off-the-shelf applications, Saviynt provides a platform that can assess access controls and SoD. With Saviynt, an organization can manage the access control environment for their entire application ecosystem, providing analytics and health status to senior management.

To secure in-house applications, Saviynt delivers:

  • Access controls – When an organization needs to show all users that have access to master pillars (Item Master, Employee Master, Customer Master, Vendor Master, etc.) or users that can add or change roles for other users, Saviynt can assess current access and prevent future access without appropriate approvals.
  • SoD controls – Saviynt has over a dozen out-of-the-box rulesets for well-known ERP applications and easy-to-define templates to assist in the definition of SoD risks for less well-known or custom applications.
  • User access certifications – Saviynt can enable user access certifications required for most regulatory compliance audits, for well-known ERPs and for less-well-known and custom applications.
  • Emergency access management for privileged access – Saviynt can provision time-bound access for privileged roles, reducing the attack surface.

Go With the Industry’s Access & Governance Leader

Built for simplicity and scale, Saviynt EIC provides everything you need to secure your enterprise: Identity Governance and Administration (IGA), Application Access Governance (AAG), Cloud Privileged Access Management (CPAM), and Third-Party Access Governance (TPAG). Saviynt EIC is the only cloud-native governance platform recognized as a leader by top analysts across every product category including IGA, Access Governance, and PAM. Our converged platform approach is the future, and we’re leading the industry there.

Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >