SAP Authorization Management

Give your users access to the applications they need to do their jobs with the appropriate permissions

Solutions for efficient authorizations

Our offer

Authorizations in SAP S/4HANA

Challenges in authorization management

Especially in system landscapes that have been in operation for a long time, historically grown authorization structures can be found. Instead of small, modular, job-specific roles, existing roles are continually expanded and assigned to different employees in different departments. Although this leads to less administrative work in the short term, it causes the complexity of the role to increase massively over time. As a result, the efficiency of authorization development is increasingly lost.

Far more damage, however, can be caused by too extensive authorizations. For example, an employee may be authorized to access data for which he or she is not authorized. In the worst case, criminal activity can cause economic damage. To prevent this, an authorization concept must be in place that describes how authorizations are to be created and assigned to users.

The most common challenges are:

  • Intransparent role structure

  • Too many authorizations in roles

  • No segregation of duties (SoD)

  • Remaining authorizations after job changes

  • No automated processes

SAP authorization management as part of the identity lifecycle

Authorizations in SAP systems form the basis for identity & access management. They enable users to access the applications they need to perform their tasks. Since functional and organizational requirements are subject to change, SAP authorizations must be regularly checked and reworked. This is the only way to ensure that processes are mapped securely and completely correctly from a technical point of view.

In order to identify and minimize risks in authorizations and to assign them correctly via the SAP user lifecycle, the use of supporting solutions from identity & access management is recommended.

SAP Authorization Management | IBsolution

Identity Lifecycle Management is part of enterprise security and describes all processes for assigning roles and authorizations - from when an employee joins the company, through changing responsibilities or even department changes, to when he or she leaves.

Click here for Identity Lifecycle Management

Identity Lifecycle Mangement | User Lifecycle Management | IBsolution

SAP offers the following solutions for maintaining and managing access rights and users:

These solutions, individually or in combination, enable an efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.

Click here for SAP Identity & Access Management solutions

SAP Identity & Access Management | IBsolution

The tools of the SECMENDO product suite extend the capabilities of existing identity & access management (IAM) solutions. The goals are improved user experience, enhanced functionality and more efficient processes.

Click here for SECMENDO products

SECMENDO | IBsolution

 

Solution approaches for efficient authorizations

Authorizations are used to map the organizational structure, business processes and segregation of duties. Therefore, they control the access options of users in SAP systems. The security of business data depends directly on the authorizations assigned. For this reason, the assignment of authorizations must be well planned and executed in order to achieve the desired security.

Authorizations are assigned to users in SAP systems in the form of roles. The goal is to create a system that is as secure as possible and to keep the complexity and number of roles as low as possible. This is the only way to achieve a balanced cost-benefit ratio.

The role concept provides that each user can only process the tasks to which he is authorized. It is developed across departments and must protect sensitive data from unauthorized access. A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.

In a redesign, we follow the principle of job-specific workplace roles in order to technically map the job profile of employees. To minimize the effort for the same job profiles with different organizational affiliations, the organizational units are inherited via an additional role. The separation of technical and organizational requirements greatly simplifies role development and modification. If certain people, such as team leaders, require extended authorizations, key user roles are developed for them, which extend the existing job role.

This approach makes authorization management considerably more efficient, since functional changes do not have a global impact on the entire authorization structure. This ensures the quality of authorizations in the long term.

Authorizations in SAP systems enable users to access the applications relevant to their activities. To ensure that processes are mapped securely and correctly, SAP authorizations must be subject to regular checks and post-processing.

 

Our offering

Redesigning authorizations when switching to SAP S4/HANA or cleaning up existing authorizations on legacy systems − an efficient authorization and role concept is the basis for secure and functional operation of SAP systems.

Together with you, we develop appropriate authorizations for your systems and processes. In workshops with your business departments, we create concepts for assigning employees the rights they need. The goal is to define so-called job roles, which represent job profiles at the job level.

With these methods, we not only help you with the implementation. You can also maintain and manage the solutions yourself afterwards, or you can trust us to run them for you: We call this Customer Success.

We support you with your challenges in the following areas:

  • Authorization conception
  • Creation of authorizations and roles
  • Securing your company data against unauthorized access
  • Adherence to compliance guidelines

Your contact person

Simon Toepper IBsolution

Simon Toepper

simon.toepper@ibsolution.de

+49 7131 2711-1308

SAP and SECMENDO products for authorization and user management

To prevent risks, authorizations must be regularly checked and revised. Since an overall view is extremely difficult with a large number of users, the use of add-on solutions is a good idea.

For this purpose, we recommend the following SAP and SECMENDO products.

SAP Cloud Identity & Access Governance (IAG)

SAP Cloud IAG has similar functions to SAP GRC Access Control. The scope of functions is aimed at cloud systems. However, on-premise SAP systems can also be connected via SAP Cloud Connector.

SAP Cloud IAG offers:

  • Access Request Management (ARM)
    Requesting users and authorizations and provisioning them in target systems

  • Access Risk Analysis (ARA)
    Analysis of risks and mitigation of risks based on defined rules

  • Emergency Access Management (EAM)
    Emergency access management by firefighters

  • Business Role Management (BRM)
    Management, creation and modification of roles of target systems with workflows

Learn more

SAP GRC Access Control

SAP GRC Access Control is a product to identify risks, mitigate risks and automate workflows.

SAP GRC Access Control provides:

  • Access Request Management (ARM)
    Requesting users and authorizations and provisioning them in target systems
  • Access Risk Analysis (ARA)
    Analysis of risks and mitigation of risks based on defined rules
  • Emergency Access Management (EAM)
    Emergency access management by firefighters
  • Business Role Management (BRM)
    Management, creation and modification of roles of target systems with workflows

Learn more

SAP Identity Management

SAP Identity Management focuses on the traceable management and consistent distribution of digital identities throughout their lifecycle - assignment, repeated adjustments, deletion. The solution makes it possible to flexibly map individual workflows so that required user accounts, roles, and authorizations can be assigned in a rule-based and automated manner.

Learn more

SAP Cloud Identity

SAP Cloud Identity solutions enable authentication (IAS), single sign-on (SSO) and provisioning (IPS) against SAP cloud systems. Especially in a hybrid system landscape and in the communication between on-premise and cloud systems, these products enable complete integration.

SAP Cloud Identity solutions:

  • SAP Identity Authentication Service

  • SAP Identity Provisioning Service

  • SAP Single Sign-On

SECMENDO.authority_audit

Break down grown structures and clean up your roles and authorizations in preparation for SAP S/4HANA.

Learn more

SECMENDO.authority_generator

Optimize SAP authorizations and customize SAP roles based on an SAP authorization trace.

Learn more

code-4333398_1920_1600_1070

 

SAP S/4HANA and authorizations

The path to SAP S4/HANA presents a particular challenge with regard to authorizations.

Many previously used transactions become obsolete and are dropped. In their place, some new ones will be added and replaced/enhanced by SAP Fiori apps. This inevitably leads to the need to revise authorizations after an upgrade to SAP S/4HANA. To simplify the revision of authorizations, it is strongly recommended to maintain the authorization default values (SU24). This must be done before the upgrade if it has not already been done. This will automatically provide the new transactions with the previous authorization values. The subsequent maintenance effort is significantly reduced.

In addition to the classic authorizations already mentioned, Fiori authorizations must be created for apps. These are added to the roles in the form of tiles and catalogs and assigned to the users. Here, too, it must be ensured that the catalogs and tiles meet the technical requirements and reflect job profiles.

Discover the full range of components in our SAP security portfolio

Identity Lifecycle Management | IBsolution

Identity Lifecycle Management

Identity lifecycle management is part of enterprise security and describes all processes for assigning roles and authorizations − from when an employee joins the company, through changing responsibilities or even department changes, to when he or she leaves.

Learn more
SAP Identity & Access Management | IBsolution

SAP Identity & Access Management

Identity & Access Management solutions, individually or in combination, enable efficient and compliant operation of target systems. This includes the detection and minimization of risks as well as the process-based provisioning and removal of users and accesses.

Learn more
Produktreihe SECMENDO | IBsolution

SECMENDO product suite

The tools of the SECMENDO product suite extend the capabilities of existing SAP Identity & Access Management (IAM) solutions. The goals are an improved user experience, enhanced functionality and more efficient processes.

Learn more

Would you like to know what possibilities SAP Authorization Management offers your company?

For more information, simply complete the form and submit it. We look forward to receiving your inquiry.