Administrating a large number of user accounts often presents companies with serious challenges. Especially when you consider how complicated most of the available standard tools are. The effort is hardly manageable if user identities also need to be maintained in several systems, directory services, or databases.
The lack of an option to manage user IDs and authorizations across multiple systems in a transparent way, not only leads to insufficient clarity and SoD conflicts; it also requires more effort to address those issues.
We will demonstrate how you can manage the identities, roles and authorizations of your SAP users efficiently and also on a shared S/4HANA system landscape.
Topics of focus:
• Challenges of Identity Management in SAP S/4HANA systems
• Reduction of effort due to automated authorization requests
• Real time risk assessment of critical authorizations
• Advantages of the SAST User Access Management
• Best practice tips
-------------------------------------------------------------------------------------------------------------
Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
IAC 2024 - IA Fast Track to Search Focused AI Solutions
How to manage users, roles and rights in S/4HANA systems audit compliant. [Webinar]
1. How to manage users,
roles and rights in
S/4HANA systems
audit compliant.
Access Request Management
with SAST SUITE.
2. Challenges of Identity Management in SAP S/4HANA systems
Reduction of effort due to automated authorization requests
Access Request Management with SAST SUITE
Best practice tips for S/4HANA Central Hub
Agenda
- 6 -
3. Embedded Deployment:
Frontend and backend on one system
Authorizations can be assigned on one system
Central Hub Deployment:
Frontend and backend on separated systems
A single point of entry for multiple backend systems
No direct access to the backend systems
Authorizations must be assigned on multiple systems
Challenges of Identity Management in SAP S/4HANA
Embedded Deployment vs. Central Hub Deployment
Embedded Deployment
Central Hub Deployment
- 7 -
4. Creation and conception of the backend authorizations
Creation and conception of the frontend authorizations
Simultaneous request of authorizations on several systems
Assignment of authorizations on multiple systems
Documentation of the authorization assignment across systems
Increased administrative effort through multiple role assignments
Challenges of Identity Management in SAP S/4HANA
Special features in a S/4HANA Central Hub Deployment
Central-Hub Deployment
- 8 -
→ More complex conception and assignment of authorizations
5. Reduction of effort due to automated authorization requests
Example: Requesting a new user
- 9 -
New
User Request
KEY-USER
Risk Analysis
Approval
MANAGER FOR
ROLES, HR AND SOD Creating a user
at the push of
a button
USER ADMIN
1
2
3
4
7. Integrated workflow
User master records
Cross-system authorization management
Lock/unlock of users
Change of roles and authorizations
Role classification options
Single or composite roles
Workplaces
Function packages
Cross-system user/role catalogue
Search for users and roles in connected SAP systems
Access Request Management with SAST SUITE
- 11 -
8. Access Request Management with SAST SUITE
Transaction: /SAST/WF_START
Workflow cockpit:
- 12 -
Request Approval Implement
9. Access Request Management with SAST SUITE
Administrator cockpit:
Transaction: /SAST/WF_CONFIG
- 13 -
option
11. External defined access to selected functions and data
Access via generated web services
Interfaces:
Create a new user request
Create a new role request
Retrieve request status
Check SoD conflicts for a user
Check existence of the user in the SAP system
Get details about a user
Determine currently valid roles of users
Access Request Management with SAST SUITE
External web interface:
- 15 -
13. Workflow integration via SAP mail or e-mail (e.g. Outlook)
Standard integration in IDM tools (including SAP IDM)
User check against Microsoft Active Directory or LDAP
Customizable workflows
Automatic SoD analysis
User mass request (new user request, role changes)
Possibility to add attachments to requests
Predefined user exits for better customizability to special requirements
Possibility to ask and document questions to involved parties
Access Request Management with SAST SUITE
Features:
- 17 -
✓
✓
✓
✓
✓
✓
✓
✓
✓
14. Free definition of responsibilities per organizational area
The behavior and the necessary approval steps can be customized individually for each process
Grouping of the responsible users in groups possible
Cross-system role request
Central identity database
Import from LDAP /MS AD systems
Import from SAP systems via RFC
Import from third party system interfaces for Ariba etc.
Access Request Management with SAST SUITE
Features:
✓
✓
✓
✓
✓
- 18 -
15. - 19 -
Best practice
tips for S/4HANA
Insights of a current
customer project.
16. Best practice tips for S/4HANA Central Hub
Conception options from one of our current projects:
Workplaces
Function packages
Roles
OrganisationID
Workplaces
Workplaces
Roles
Approver Objects to request
assigned to
HR manager
Role responsible
SoD responsible
Escalation respnsible
Role administrator
User administrator
- 20 -
17. A workplace…
…must be created for each system/client
…consists of roles on the target client
…can be assigned to individual organization IDs
…can be imported from Excel
Best practice tips for S/4HANA Central Hub
Management via workplaces:
- 21 -
Workplace
Roles
18. A function package…
...merges roles and workstations across systems and clients
…consists of roles and/or workplaces
…can assign frontend and backend roles simultaneously
…can be assigned to individual organization IDs
…can be imported from Excel
Best practice tips for S/4HANA Central Hub
Management via function packages:
- 22 -
Function packages
Workplace
Workplace
Workplace frontend
Fiori Roles
Workplace backend
Backend
Authorizations
19. Best practice tips for S/4HANA Central Hub
Management via function packages:
Function packages can be used to assign workplaces and roles on different systems and clients.
- 23 -
!
20. Audit compliant SAP S/4HANA systemes
Take Home Messages:
It is important to create clarity about the user and role management concept
and to develop an approach.
Create a system and client-wide consistent concept with speaking names for roles
and workplaces.
The initial effort for mapping the concept and the processes saves immense
follow-up efforts in the later administration.
Identify the framework and limits of ideal workflows and reflect them realistically.
A process with defined responsible persons and approvers will only work
if the respective participants know and understand their tasks.
- 24 -
✓
✓
✓
✓
✓