As companies globalize and consolidate their SAP systems, they face an increasing need to control access to sensitive data based on fine grained user profiles. Traditionally, companies have managed this access by defining fine grained roles, leading to an explosion of roles that are inconsistent and hard to manage.
In this webinar series, attendees will learn:
- The key trends driving role explosion
- The challenges of role explosion
- Example use cases that drive role explosion
- How attribute-based access control (ABAC) can alleviate the problem
Attendees will also see demonstrations of use cases illustrating how role explosion happens, and how ABAC can help reduce role explosion.
With this, the idea is to use just one simple role and instead use the attributes directly in providing access to different systems for different groups of users. That way we are not tying access controls to the user role but dynamically taking a decision based on the attributes to enforce controls on resources.
We can achieve the same level of organizational controls using the attributes such as Company and Department attached to the user and mapping that to the organization attributes of the resource being accessed. With dynamic matching of attributes, we can achieve the same result with just 50 functional role and 1 policy. The policy will match appropriate resource and user attributes to provide access to users for a specific resource.Even if we have to extend the requirements to a finer grained level such as user location and export controlled data, it is just another attribute that needs to be matched in a policy, not create another set of roles for different types of citizens.This results in reducing the number of roles created and managed by a minimum of 97% in the best possible scenario we discussed so far with Roles. That’s a huge reduction in cost and management time with 97% less roles to manage and maintain.
We not only minimize the issues we have seen with role explosion with ABAC, but also reap additional benefits through ABAC. These a few I have seen in a lot of our customers business environment.Finer grained controls: need to extend access controls beyond coarse organizational authorizations like Plant, company code, cost center etc., Ability to read dynamic attributes of resources and users in this ever-changing business environment while making policy decisions for access cotrols.Use internal as well as third party attribute information to allow external users to access your information, yet provide appropriate access controls.Ability to use external data classification systems to understand the resource attributes instead of extending the master data structures to implement custom authorization requirementsAnd to be able to achieve all this with flexibility, scalability and minimum effort to manageLets look at how this is possible in a real life example..