SAP Authorization Management

Give your users access to the applications they need to do their jobs with the appropriate permissions

Solutions for efficient authorizations

Our offering

Authorizations in SAP S/4HANA

Challenges in authorization management

Especially in system landscapes that have been in operation for a long time, historically grown authorization structures can be found. Instead of small, modular, job-specific roles, existing roles are continually expanded and assigned to different employees in different departments. Although this leads to less administrative work in the short term, it causes the complexity of the role to increase massively over time. As a result, the efficiency of authorization development is increasingly lost.

Far more damage, however, can be caused by too extensive authorizations. For example, an employee may be authorized to access data for which he or she is not authorized. In the worst case, criminal activity can cause economic damage. To prevent this, an authorization concept must be in place that describes how authorizations are to be created and assigned to users.

The most common challenges are:

  • Intransparent role structure

  • Too many authorizations in roles

  • No segregation of duties (SoD)

  • Remaining authorizations after job changes

  • No automated processes

Power Workshop for SAP Authorizations

In our Power Workshop for SAP Authorizations, we review your existing authorization concept together with you to determine whether it covers current requirements. A key focus is on the aspect of future viability, which we realize through maintainability, efficient functionality and maximum security. Whether your authorizations need a redesign or just a revision and what your path to SAP S/4HANA will look like, we work out on the basis of your individual prerequisites and requirements.

Click here for the Power Workshop for SAP Authorizations

SAP authorization management as part of the identity lifecycle

Authorizations in SAP systems form the basis for identity & access management. They enable users to access the applications they need to perform their tasks. Since functional and organizational requirements are subject to change, SAP authorizations must be regularly checked and reworked. This is the only way to ensure that processes are mapped securely and completely correctly from a technical point of view.

In order to identify and minimize risks in authorizations and to assign them correctly via the SAP user lifecycle, the use of supporting solutions from identity & access management is recommended.

SAP Authorization Management | IBsolution

Identity Lifecycle Management is part of enterprise security and describes all processes for assigning roles and authorizations - from when an employee joins the company, through changing responsibilities or even department changes, to when he or she leaves.

Click here for Identity Lifecycle Management

Identity Lifecycle Mangement | User Lifecycle Management | IBsolution

SAP offers the following solutions for maintaining and managing access rights and users:

These solutions, individually or in combination, enable an efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.

Click here for SAP Identity & Access Management solutions

SAP Identity & Access Management | IBsolution

The tools of the SECMENDO product suite extend the capabilities of existing identity & access management (IAM) solutions. The goals are improved user experience, enhanced functionality and more efficient processes.

Click here for SECMENDO products

SECMENDO | IBsolution

 

Solution approaches for efficient authorizations

Authorizations are used to map the organizational structure, business processes and segregation of duties. Therefore, they control the access options of users in SAP systems. The security of business data depends directly on the authorizations assigned. For this reason, the assignment of authorizations must be well planned and executed in order to achieve the desired security.

Authorizations are assigned to users in SAP systems in the form of roles. The goal is to create a system that is as secure as possible and to keep the complexity and number of roles as low as possible. This is the only way to achieve a balanced cost-benefit ratio.

The role concept provides that each user can only process the tasks to which he is authorized. It is developed across departments and must protect sensitive data from unauthorized access. A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.

In a redesign, we follow the principle of job-specific workplace roles in order to technically map the job profile of employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.

This approach makes authorization management considerably more efficient, since functional changes do not have a global impact on the entire authorization structure. This ensures the quality of authorizations in the long term.

Authorizations in SAP systems enable users to access the applications relevant to their activities. To ensure that processes are mapped securely and correctly, SAP authorizations must be subject to regular checks and post-processing.

 

Our offering

Redesigning authorizations when switching to SAP S4/HANA or cleaning up existing authorizations on legacy systems − an efficient authorization and role concept is the basis for secure and functional operation of SAP systems.

Together with you, we develop appropriate authorizations for your systems and processes. In workshops with your business departments, we create concepts for assigning employees the rights they need. The goal is to define so-called job roles, which represent job profiles at the job level.

With these methods, we not only help you with the implementation. You can also maintain and manage the solutions yourself afterwards, or you can trust us to run them for you: We call this Customer Success.

We support you with your challenges in the following areas:

  • Authorization conception
  • Creation of authorizations and roles
  • Securing your company data against unauthorized access
  • Adherence to compliance guidelines

Click here for the Power Workshop for SAP Authorizations

Your contact person

Simon Toepper IBsolution

Simon Toepper

simon.toepper@ibsolution.com

+49 7131 2711-3000

SAP and SECMENDO products for authorization and user management

To prevent risks, authorizations must be regularly checked and revised. Since an overall view is extremely difficult with a large number of users, the use of add-on solutions is a good idea.

For this purpose, we recommend the following SAP and SECMENDO products.

SAP Access Control

SAP Access Control is a product to identify risks, mitigate risks and automate workflows.

SAP Access Control provides:

  • Access Request Management (ARM)
    Requesting users and authorizations and provisioning them in target systems
  • Access Risk Analysis (ARA)
    Analysis of risks and mitigation of risks based on defined rules
  • Emergency Access Management (EAM)
    Emergency access management by firefighters
  • Business Role Management (BRM)
    Management, creation and modification of roles of target systems with workflows

Learn more

SAP Identity Management

SAP Identity Management focuses on the traceable management and consistent distribution of digital identities throughout their lifecycle - assignment, repeated adjustments, deletion. The solution makes it possible to flexibly map individual workflows so that required user accounts, roles, and authorizations can be assigned in a rule-based and automated manner.

Learn more

SAP Cloud Identity

The SAP Cloud Identity solutions enable authentication (IAS), single sign-on (SSO) and provisioning (IPS) against SAP cloud systems. Especially in a hybrid system landscape and in the communication between on-premise and cloud systems, these products enable complete integration.

SAP Cloud Identity solutions:

Click here for SAP Cloud Identity

SECMENDO.audit

Break down grown structures and clean up your roles and authorizations in preparation for SAP S/4HANA.

Learn more

SECMENDO.authority_generator

Optimize SAP authorizations and customize SAP roles based on an SAP authorization trace.

Learn more

code-4333398_1920_1600_1070

 

SAP S/4HANA and authorizations

The path to SAP S4/HANA presents a particular challenge with regard to authorizations.

Many previously used transactions become obsolete and are dropped. In their place, some new ones will be added and replaced/enhanced by SAP Fiori apps. This inevitably leads to the need to revise authorizations after an upgrade to SAP S/4HANA. To simplify the revision of authorizations, it is strongly recommended to maintain the authorization default values (SU24). This must be done before the upgrade if it has not already been done. This will automatically provide the new transactions with the previous authorization values. The subsequent maintenance effort is significantly reduced.

In addition to the classic authorizations already mentioned, Fiori authorizations must be created for apps. These are added to the roles in the form of tiles and catalogs and assigned to the users. Here, too, it must be ensured that the catalogs and tiles meet the technical requirements and reflect job profiles.

More information about SAP authorizations

Redesign of SAP authorizations | IBsolution
Modern and efficient authorization concepts

Redesign of SAP authorizations

We examine your existing authorization concept and analyze possible areas for action. Depending on the results and the state of your authorization structure, we develop an individual roadmap to transform your roles into a modern and sustainable authorization concept.
Learn more
SAP authorizations in SAP S/4HANA | IBsolution
Redesign or migration?

SAP authorizations in SAP S/4HANA

SAP authorizations are usually created and maintained over years or even decades with great effort. The simplification of processes in SAP S4/HANA leads to the loss of frequently used transactions, which are replaced by new Fiori apps. IT managers rightly ask themselves whether and how they can efficiently transfer authorizations to SAP S/4HANA. 
Learn more
Authorizations in SAP S/4HANA | IBsolution
Blog

What changes in authorizations with SAP S/4HANA

SAP S/4HANA brings with it various new processes and technologies that did not previously exist in this way in SAP ERP. In addition, there are also differences in the authorization concepts between SAP S/4HANA and previous ERP versions from SAP that must be taken into account to ensure smooth user access.
Read more
Authorization default values and profile generator | IBsolution
Transactions SU24 and SU25

Default values and profile generator for SAP authorizations

SAP authorizations are often developed without the adjusted default values of transaction SU24. As a result, the profile generator (SU25) cannot develop its full potential. The biggest advantage of the authorization default values with regard to SAP S4/HANA is the reduced effort required for reworking the authorizations of the roles.
Learn more
Authorizations in SAP S/4HANA | IBsolution
Blog

How to avoid conflicts and risks in authorizations

SAP Access Control and SAP Cloud Identity Access Governance (IAG) address the management of users and authorizations in compliance with rules and with as little risk as possible. While SAP Access Control is an on-premise solution, SAP IAG is available as a cloud service on SAP Business Technology Platform.
Read more
SECMENDO.audit | IBsolution
Adjustments to authorizations

SECMENDO.audit

The architecture and database structure of SAP S/4HANA also affect authorization management. Working with Fiori apps requires changes to roles and the associated authorization objects. In the first step, an authorization check provides information about where exactly your company needs to start in this regard.
Learn more

Would you like to know what possibilities SAP Authorization Management offers your company?

For more information, simply complete the form and submit it. We look forward to receiving your inquiry.

Discover the full range of components in our SAP security portfolio

Identity Lifecycle Management | IBsolution

Identity Lifecycle Management

Identity lifecycle management is part of enterprise security and describes all processes for assigning roles and authorizations − from when an employee joins the company, through changing responsibilities or even department changes, to when he or she leaves.

Learn more
SAP Identity & Access Management | IBsolution

SAP Identity & Access Management

Identity & Access Management solutions, individually or in combination, enable efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.

Learn more
Produktreihe SECMENDO | IBsolution

SECMENDO product suite

The tools of the SECMENDO product suite extend the capabilities of existing SAP Identity & Access Management (IAM) solutions. The goals are an improved user experience, enhanced functionality and more efficient processes.

Learn more