This document discusses the importance of having an appropriate SAP role design as the foundation for GRC and IAM tools. It states that outdated or inappropriate role designs provide users with too much access, diminishing the effectiveness of these tools. The document outlines how access control and identity access management solutions are negatively impacted by a poor underlying role design. It describes that a role cleanup or redesign is needed to properly address inappropriate role designs. A cleanup is quicker but a redesign allows incorporating new access requirements and controls over time. Having a proper role design is central to extracting value from GRC/IAM investments and achieving a secure SAP environment.
3. Thoughts intuitively turn to GRC
and IAM tools to achieve this.
Without addressing the
underlying issues of the SAP role
design, GRC and IAM tools will
not deliver the expected results
and leave the organisation
disappointed.
4. Many organisations have
outdated role designs that
provide users with inappropriate
access required for their job
functions. These organisations
mistakenly assume SAP security
can be solved solely with
products and tools e.g. Access
Control or Identity Access
Management solutions.
5. These will help, but the
capability of these tools are
significantly diminished if the
underlying SAP role design is
outdated and/or inappropriate.
Your organisation won’t derive
the expected value from these
investments due to this poor
underlying SAP role design.
6. The impact of inappropriate SAP role design
Let’s consider the impact of inappropriate SAP role design, which provides
users with far too much access, on both GRC and IAM tools.
Access Control solution
The Access Control solution highlights many access risk violations that
business users reviewing the risks don’t know where to start. Business
users may start approving every SAP access change request without
placing much value on the results, due to the volume of risk violations. In
short, the capability of the access risk solution is diminished.
7. Identity Access Management solution
The Identity Access Management solution brings about efficiencies in the
joiner, leaver and mover processes. However, it will be assigning
inappropriate access which results in a very high access risk count. This is
far from ideal and counter-productive to their S/4 strategy, particularly as
these organisations are placing more emphasis on security.
8. So, what does all this mean
practically?
If you’re a GRC practitioner
wanting to leverage your
organisation’s S/4HANA journey
to bolster your security, and you
suspect your underlying SAP role
design is outdated, what should
you do to address this?
9. You have two options for
addressing an inappropriate
SAP role design: either an SAP
role clean-up or an SAP role
redesign.
Let’s explain this in a bit more
detail.
10. SAP Role Clean-up
An SAP role clean-up is usually possible where the
underlying SAP role design is still in relatively good
shape i.e. the SAP single roles are well built.
11. An SAP role clean-up is usually
preferred by organisations as it is
a quicker and less expensive
project.
An additional benefit is that it is
less disruptive on the business,
with fewer end-users testing and
fewer authorisation issues than a
redesign project.
12. SAP Role Redesign
A role redesign is recommended when the effort to
clean-up the SAP solution is greater than the effort
to perform a role redesign. In other words, the SAP
solution has deteriorated past the point of no
return. An SAP role redesign is typically a longer,
more costly engagement than a role clean-up, and
entails greater levels of business involvement and
disruption. However, there are several significant
benefits to an SAP role redesign.
13. Firstly, if your organisation has not
performed a role redesign for
several years, the control
requirements of the organisation
may have changed over time.
For example, Movement Types or
Warehouse Numbers may not
have been important ten years
ago. However, with a role
redesign, these new control
elements can be introduced.
14. SAP has introduced several new
control authorisations through
the years. For example,
controlling table access at a more
granular level by table name
(S_TABU_NAM) versus a wider
level of authorisation groups
(S_TABU_DIS). Many of the new
data privacy regulations are
affecting organisations.
15. As a result, more granular control is required
which can be achieved through a role redesign
project. Data privacy by design is central to most
of the data privacy regulations. Implementing
this with a role redesign is likely to be easier than
as part of a role clean-up project.
In summary, central to any secure SAP
environment is a good SAP role design. It forms
the backbone of all things GRC.
16. If your organisation does not see the value in
addressing the underlying SAP role design, they will
never extract the expected value from their GRC and
IAM solutions. Addressing the SAP role design will be
an investment well worth it in the long run.