Especially in system landscapes that have been in operation for a long time, historically grown authorization structures can be found. Instead of small, modular, job-specific roles, existing roles are continually expanded and assigned to different employees in different departments. Although this leads to less administrative work in the short term, it causes the complexity of the role to increase massively over time. As a result, the efficiency of authorization development is increasingly lost.
Far more damage, however, can be caused by too extensive authorizations. For example, an employee may be authorized to access data for which he or she is not authorized. In the worst case, criminal activity can cause economic damage. To prevent this, an authorization concept must be in place that describes how authorizations are to be created and assigned to users.
Intransparent role structure
Too many authorizations in roles
No segregation of duties (SoD)
Remaining authorizations after job changes
No automated processes
Authorizations in SAP systems form the basis for identity & access management. They enable users to access the applications they need to perform their tasks. Since functional and organizational requirements are subject to change, SAP authorizations must be regularly checked and reworked. This is the only way to ensure that processes are mapped securely and completely correctly from a technical point of view.
In order to identify and minimize risks in authorizations and to assign them correctly via the SAP user lifecycle, the use of supporting solutions from identity & access management is recommended.
SAP offers the following solutions for maintaining and managing access rights and users:
These solutions, individually or in combination, enable an efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.
Authorizations are used to map the organizational structure, business processes and segregation of duties. Therefore, they control the access options of users in SAP systems. The security of business data depends directly on the authorizations assigned. For this reason, the assignment of authorizations must be well planned and executed in order to achieve the desired security.
The role concept provides that each user can only process the tasks to which he is authorized. It is developed across departments and must protect sensitive data from unauthorized access. A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.
In a redesign, we follow the principle of job-specific workplace roles in order to technically map the job profile of employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.
Redesigning authorizations when switching to SAP S4/HANA or cleaning up existing authorizations on legacy systems − an efficient authorization and role concept is the basis for secure and functional operation of SAP systems.
Together with you, we develop appropriate authorizations for your systems and processes. In workshops with your business departments, we create concepts for assigning employees the rights they need. The goal is to define so-called job roles, which represent job profiles at the job level.
With these methods, we not only help you with the implementation. You can also maintain and manage the solutions yourself afterwards, or you can trust us to run them for you: We call this Customer Success.
+49 7131 2711-1308
To prevent risks, authorizations must be regularly checked and revised. Since an overall view is extremely difficult with a large number of users, the use of add-on solutions is a good idea.
SAP Cloud IAG has similar functions to SAP GRC Access Control. The scope of functions is aimed at cloud systems. However, on-premise SAP systems can also be connected via SAP Cloud Connector.
Access Request Management (ARM)
Requesting users and authorizations and provisioning them in target systems
Access Risk Analysis (ARA)
Analysis of risks and mitigation of risks based on defined rules
Emergency Access Management (EAM)
Emergency access management by firefighters
Business Role Management (BRM)
Management, creation and modification of roles of target systems with workflows
SAP GRC Access Control is a product to identify risks, mitigate risks and automate workflows.
SAP Identity Management focuses on the traceable management and consistent distribution of digital identities throughout their lifecycle - assignment, repeated adjustments, deletion. The solution makes it possible to flexibly map individual workflows so that required user accounts, roles, and authorizations can be assigned in a rule-based and automated manner.
SAP Cloud Identity solutions enable authentication (IAS), single sign-on (SSO) and provisioning (IPS) against SAP cloud systems. Especially in a hybrid system landscape and in the communication between on-premise and cloud systems, these products enable complete integration.
SAP Identity Authentication Service
SAP Identity Provisioning Service
SAP Single Sign-On
Many previously used transactions become obsolete and are dropped. In their place, some new ones will be added and replaced/enhanced by SAP Fiori apps. This inevitably leads to the need to revise authorizations after an upgrade to SAP S/4HANA. To simplify the revision of authorizations, it is strongly recommended to maintain the authorization default values (SU24). This must be done before the upgrade if it has not already been done. This will automatically provide the new transactions with the previous authorization values. The subsequent maintenance effort is significantly reduced.
In addition to the classic authorizations already mentioned, Fiori authorizations must be created for apps. These are added to the roles in the form of tiles and catalogs and assigned to the users. Here, too, it must be ensured that the catalogs and tiles meet the technical requirements and reflect job profiles.
Identity lifecycle management is part of enterprise security and describes all processes for assigning roles and authorizations − from when an employee joins the company, through changing responsibilities or even department changes, to when he or she leaves.
Identity & Access Management solutions, individually or in combination, enable efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.
The tools of the SECMENDO product suite extend the capabilities of existing SAP Identity & Access Management (IAM) solutions. The goals are an improved user experience, enhanced functionality and more efficient processes.
For more information, simply complete the form and submit it. We look forward to receiving your inquiry.